- #Fir auth gms firebaseapp spyware manual
- #Fir auth gms firebaseapp spyware android
- #Fir auth gms firebaseapp spyware pro
- #Fir auth gms firebaseapp spyware download
Top countries with the most number of affected users Through our back-end monitoring and deep research, we were able to see the general distribution of affected users and found that they hailed from a total of 196 different countries.įigure 12. Part of what makes this case interesting is how widely its applications have been distributed. Fake Facebook login pop-up User distribution At which point the malware would already have stolen the user’s credentials.įigure 11. If the user inputs his/her credentials, the fake pop-up will only state that the log-in was unsuccessful. It's capable of displaying fake Facebook and Google pop-ups to phish for the user’s account details.
In addition to its info-stealing capabilities, the malware can also gather additional credentials through a phishing attack. The malware is even capable of stealing and uploading files found on the device, and will do so as long as it receives the commands as seen in Figures 8 and 9 respectively.įigure 9. Once done, the malware will wait for and perform commands sent from its C&C server through FCM.ĭepending on the command the malware receives, it can steal SMS conversations, contact lists, files, and call logs, as seen from commands in the subsequent figures below. It sends the gathered information to its C&C server, thus registering the device. Examples of all the information it steals can be seen in Figure 3. The malware will then collect certain device information such as the language used, its registered country, package name, device manufacturer etc. Example of configure file being taken from a C&C server It then reads and parses an XML configure file from its C&C server.įigure 2. Once the malicious application is launched, the malware will first check the device's network availability. It uses Firebase Cloud Messaging to send information to its server. MobSTSPY is capable of stealing information like user location, SMS conversations, call logs and clipboard items.
#Fir auth gms firebaseapp spyware download
Flappy Birr Dog download page Information stealing And as of writing, Google has already removed all of these applications from Google Play.įigure 1. Five out of six of these apps have been suspended from Google Play since February 2018.
#Fir auth gms firebaseapp spyware pro
Other applications included FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher and Flappy Bird. One of the applications we initially investigated was the game called Flappy Birr Dog, as seen in Figure 1. The applications were available for download on Google Play in 2018, with some recorded to have already been downloaded over 100,000 times by users from all over the world.
#Fir auth gms firebaseapp spyware android
onebusaway-android/google-services.json already exists in OBA Android from the ES SDK configuration.We discovered a spyware (detected as ANDROIDOS_MOBSTSPY) which disguised itself as legitimate Android applications to gather information from users.
#Fir auth gms firebaseapp spyware manual
This design makes sense to me for three reasons: setDatabaseUrl("") // Required for RTDB.įirebaseApp.initializeApp(this /* Context */, options, "secondary") įirebaseApp secondary = FirebaseApp.getInstance("secondary") įirebaseDatabase secondaryDatabase = FirebaseDatabase.getInstance(secondary) setApiKey("AIzaSyADUe90ULnQDuGShD9W23RDP0xmeDc6Mvw") // Required for Auth. FirebaseOptions options = new FirebaseOptions.Builder()
0 kommentar(er)
