MobSTSPY – Info-Stealing & Phishing Spyware Finds Its Way Into Google Play Store


Spyware camouflaged as Android applications has found its way into the Google Play store, and a part of the malicious applications being downloaded multiple times by users across the world last year. Identified as ANDROIDOS_MOBSTSPY and named MobSTSPY, Trend Micro specialists said the malware initially grabbed their attention when it was disguised as a called Flappy Birr Dog.

A total of 7 apps contain MobSTSPY Android spyware, out of which one has been installed over 100,000 times. Below is the list of apps:

  • Flappy Bird
  • HZPermis
  • Pro Arabe
  • FlashLight
  • Flappy Birr Dog
  • Win7Launcher
  • Win7imulator

Malware masquerades as a legitimate application that claims to be torches, games, and tools for productivity. While it is not uncommon to find armed goods in third-party app stores, MobSTSPY has also managed to infiltrate Google Play with at least six different apps in 2018. The Android spyware is identified in utility apps and games that have been disguised successfully to appear legitimate. The spyware has information stealing and phishing capabilities. Most of the infected devices are identified in India but the spyware seems to have been distributed globally as it has managed to infect devices in around 196 countries.

MobSTSPY - Spyware

MobSTSPY is capable of stealing information like user location, SMS conversations, call logs and clipboard items. It uses Firebase Cloud Messaging to send information to its server. Once the malicious application is launched, the malware will first check the device’s network availability. The malware then collects certain device information such as the language used, its registered country, package name, device manufacturer etc. and sends the gathered information to its Command & Control server – a centralized computer that issues commands to a botnet and receives reports. The malware is even capable of stealing and uploading files found on the device.

In addition to its info-stealing capabilities, the malware can also gather additional credentials through a phishing attack. It’s capable of displaying fake Facebook and Google pop-ups to phish for the user’s account details. If the user inputs his/her credentials, the fake pop-up will only state that the log-in was unsuccessful. At which point the malware would already have stolen the user’s credentials.

Facebook Login Failed - Spyware

The infected apps were available on Google Play Store in 2018 and five of them have already been suspended by Google while the last one is also not available for downloading anymore on its official marketplace. However, third-party app stores are still offering them and it is currently unclear how many users have so far been affected by Mobstspy malware. To prevent from getting infected, researchers recommend users install a comprehensive cybersecurity solution to defend their mobile devices against mobile malware.

Leave a Reply

Your email address will not be published. Required fields are marked *