Android malware is becoming increasingly sophisticated and better at hiding its true intentions. The latest malicious spyware, discovered by security firm Zimperium, disguises itself as a system update app to keep you from realizing that it is actually recording calls, tracking your location, and accessing WhatsApp messages.

Such remote access Trojans (RATs) are nothing new, but malware masquerading as Android updates is certainly unusual.

Once downloaded to an unsuspecting Android user's phone, the app registers the device with Google's Firebase Command & Control and uses the resulting token to send its own system commands via cloud messaging to Sending.

"The spyware creates a notification if the device's screen is off when it receives a command using the Firebase messaging service," Zimperium explains in a blog post. As you can see from the screenshot below, "Searching for updates..." appears, but this is not a legitimate Android message.

This malware actively waits for interesting activity and then begins to act. When a call is made, it records the conversation, collects updated call logs, and sends them as an encrypted .zip file to the C&C server.

They are also quite good at covering their tracks, deleting evidence as soon as the server returns a "success" response.

Curiously, the spyware is particularly interested in WhatsApp conversations. After accessing the phone's accessibility services (which requires convincing the user through social engineering), when this malware detects that WhatsApp is running, it scrapes the contents of the screen. with root privileges, it can also download the app's private If root privileges are available, it also steals WhatsApp database files from the app's private storage.

There is another unusual element: the malware is interested in images and videos in external storage, but initially scrapes thumbnail images rather than uploading the entire file.

Zimperium believes this is another attempt to evade detection because it "significantly reduces bandwidth consumption and shows no signs of data leakage over the Internet."

The good news? According to the researchers, the app "was not and never has been in Google Play."

In other words, it is limited to third-party stores and sideloading, meaning that the majority of Android owners need not worry about this particular app.

Still, Google's advice to stick to its own store is clearly self-serving, but it is a timely reminder that there are good reasons why inexperienced users should follow its suggestion anyway.