Chrome, the web browser for Android users has always received updates through the Google Play Store, but users unaware of that may be more likely to fall prey to a newly discovered malware that steals calling, texting and banking information. Making matters worse, this malware is able to evade antivirus software and cannot be removed without erasing everything on your device.
Discovered by California-based security firm Zscaler, this new Android malware camouflages itself as a Chrome web browser update called “Update_chrome.apk”and if it gets on your device it can do a lot of damage. From harvesting call logs, SMS data, browser history and banking information to sending all the data it collects to a remote command and control (C&C) server. This malware is also capable of checking the installed antivirus applications and terminating them to evade detection.
One more important thing to keep in mind is if users open the Play Store on an infected device, the malware presents a phony Play Store payment information page for entering your credit card information, either making users think they are just updating their information or tricking them into buying something. After that data is entered, a screenshot is then sent to a phone number in Russia. Normally Android anti-virus software often detects malicious files, but this malware includes hard coded checks for antivirus applications like Kaspersky, ESET, Avast and Dr. Web. After the antivirus suites are found, the malware wipes them from the device, so it can operate without restriction.
With that in mind, it looks like this malware is spreading from compromised or malicious websites and so when people end up browsing these sites on their devices they are presented with a pop up asking them to update their Chrome browser.
From there you would then have to accept the download of this file and ryou would need to have disabled one of Android’s default security settings which prevents the installation of programs from unknown sources. Now once that is done the malware (making you think it’s a simple browser update) will ask you for administrative access. After granting admin access, then and only then are you infected.
To start with, all Chrome updates should be automatic and get installed in the background from the Google Play store and never from a website so if you presented with a browser pop-up asking to update Chrome you want to close out of that.
As always, I’d suggest that you don’t change the setting that allows for installation of apps from unknown sources, and to only download and install software from approved first-party stores like Google Play.
Unfortunately, once this malware is installed onto a device, it can only be removed by doing a complete factory reset so it’s imperative that you have some type of backup solution in place for your personal data. I’d also recommend going to the website: www.androidcentral.com for assistance or help on this topic as they have lots of information on all things Android.