Andr/Spy-BFI

Once installed, the spyware sends unique, identifiable device parameters to its command-and-control server.

The spyware app initially disguises itself as something called “App Updates” ... with names that include App Updates, System Apps Updates, or Android Update Intelligence.

Once the target has granted all these permissions, the app disguises itself to evade any attempts at manual removal by the user. The spyware changes its icon (and name) to disguise itself using an icon of one of the four apps: Google Play, Youtube, Google, or Botim.

Once installed, the spyware sends unique, identifiable device parameters to its command-and-control server.

The first time the user opens the app, it requests that the user grant the app specific permissions ... But the apps also use a bit of social engineering to ask the user to grant advanced permissions: notification access, device administrator, and the ability to observe the user’s actions while interacting with apps.

Once installed, the spyware sends unique, identifiable device parameters to its command-and-control server.

Many of the new variants were found to have been digitally signed by a certificate ... that Sophos has associated with malware for years.

The app does the following things: Collects SMS, contacts, call logs Collects images and documents

The first time the user opens the app, it requests that the user grant the app specific permissions ... But the apps also use a bit of social engineering to ask the user to grant advanced permissions: notification access, device administrator, and the ability to observe the user’s actions while interacting with apps.

Taking screenshots and recording video of the screen

Recording audio, incoming and outgoing calls, including WhatsApp calls

Taking pictures using the camera

Internal logging shows the app writing out the contents of the contact list, call logs, and SMS messages to a Zip archive it later uploads to its C2

Each functionality of the spyware has a command associated with it. The commands are received via Firebase messaging, and the spyware performs the corresponding function as and when instructed.

We also found that it tried to install its own version of Botim from the application’s assets.

One of the newer features of this variant is that it will, initially, use a hardcoded C2 address to communicate, but also contains code that allows the operators of the spyware to push down a new address.

Internal logging shows the app writing out the contents of the contact list, call logs, and SMS messages to a Zip archive it later uploads to its C2