Researchers from Lookout’s Security Research team identified a piece of spyware hiding in four apps available in Google’s official app store. The spyware has been named Overseer, and is capable of stealing personal data from users.Three of the infected apps were news related, from a developer named RSS News. Two of these three apps showed news items related to Russia, while the third showed news on European topics.The fourth and last app detected as infected with the spyware could be used to search for embassies around the world.
Overseer are capable of gathering and exfiltrating information like,The user’s contacts, including name, phone number, email, and times contacted; all user accounts on a compromised device; precise location, including latitude, longitude, network ID, and location area code; free internal and external memory; Device IMEI, IMSI, MCC, MNC, phone type, network operator, device and Android information; and details of installed packages, Lookout researchers outlined in a blog.
According to lookout ,
it targets foreign travelers, with its core functionality of searching for the embassies’ locations. For example, enterprise executives could be impacted by Overseer if they had downloaded the Embassy app during business travel.
its command and control (CNC or C2) uses Facebook’s Parse Server, hosted on Amazon Web Services. By using the Facebook and Amazon services, the spyware makes use of HTTPS and a CNC residing in the United States on a popular cloud service. This allows it to remain hidden because it doesn’t cause Overseer’s network traffic to stand out and could potentially present a challenge for traditional network-based IDS solutions to detect.