Android Android Malware Hides as Microsoft Word File, Steals and Emails User Data to Attacker

Posted October 30, 2015 · October 30, 2015

Android Malware Hides as Microsoft Word File, Steals and Emails User Data to Attacker

Android malware uses old techniques, comes with new tricks

A sneaky Android malware is disguising itself as a Microsoft Word document to trick users into opening it and triggering its malicious code.

The Android app is mimicking early Windows era malware, by using a common and well-known file icon into making users think it's safe to interact with.

As usual the malware reaches phones when users install apps from unofficial sources.

If by any chance users are so foolish to tap on a Word document that appears out of nowhere on their home screen, the malware makes the user believe nothing has happened by showing an error message that reads "Installation errors, this software is not compatible with the phone."

The malware steals the user's contact list and SMS messages

While this error popup is being displayed on the screen, the malware does its dirty work under the hood, by starting a few hidden Android OS services that would allow it to tap into various phone data repos, extract details, and control SMS and email functions.

The malware is basically an Android infostealer, one that exfiltrates SMS messages and contact lists.

Zscaler researchers have analyzed its source code and found that the malware comes hardcoded with a phone number where it sends an SMS with the phone's IMEI code.

User data is sent to a hardcoded email address

Additionally, an email address can also be found, along with its password, where the malware sends emails with the phone's SMS messages and contact lists.

By accessing this email account Zscaler researchers were able to determine that around 300+ victims were infected and had their data stolen. The earliest emails go back to October 10, 2015.

An additional calling function is also included. When attackers send a specially-formatted SMS message to the victim's phone, the malware intercepts it and starts a phone call to a number contained in the SMS. This feature can be used to spy on users in real time.

Because the app gets administrative rights when installed, users can remove it if they boot their phone in safe mode, deactivate the app from Settings --> Security --> Device Administrator, and then uninstalling it from Settings --> Apps --> Uninstall.

android-malware-hides-as-microsoft-word-