Google takes down Android app that let hackers control your phone through SMS

By Adam Ismail April 21, 2017

android spyware works through text smartphone cellphone hacking frustration

An internet security company has published its findings on an Android app that contained spyware controlled via text messages. Researchers at Zscaler have determined an app suspiciously titled “System Update” gave attackers the ability to execute commands on a remote device and receive its location data. The app — which was just deleted on Google Play Store — had been available for the last three years, and was listed as having been downloaded anywhere from 1 million to 5 million times.

The reviews all indicate users had been installing System Update believing, unsurprisingly, that it would update the version of Android on their device. Instead, when opened for the first time, the app would display the standard system error message — “Unfortunately, System Update has stopped” — and remove itself from the app drawer.

Zscaler

Recommended Videos

This would activate the spyware, named SMSVova, and set things into motion. SMSVova fetches the user’s location data and begins reading text messages, looking for an SMS message that reads “get faq.” If another device texts “get faq” to the infected party, the latter will automatically respond with a list of commands. By texting these commands to the affected device, the attacker could remotely lock the phone with a password or even issue fake low-battery warnings.

At this point, the attacker is given total access to the coordinates of the infected phone. Although the app is no longer available to download from Google’s marketplace, Zscaler reports it found the code living in another remote access program, called DroidJack.

There is of course no shortage of ways in which an unscrupulous hacker could gain access into your phone, especially with the help of user-installed software. But this is certainly one of the more interesting methods. It’s also quite frightening, considering it gives the attacker so much power through the seemingly harmless and unsophisticated medium of text messages. Then again, in light of the deadly string of emojis that can incapacitate an iPhone, perhaps we shouldn’t be so surprised.

Topics

Former Digital Trends Contributor

Adam’s obsession with tech began at a young age, with a Sega Dreamcast – and he’s been hooked ever since. Previously…

Mobile

Google overhauls its Family Link app for easier parental controls

Google Family Link app.

Google's Family Link app has been a great resource for parents looking to keep an eye on what their children are up to with their devices. Now, it's getting even better thanks to an app overhaul that puts the focus on safety and communication. While the Google Family Link app has previously been praised for its solid parental control settings, the redesign adds plenty of new features that make it easier than ever for parents to monitor smart device usage while keeping children informed about the parental control settings in place.

In addition to a design update that sorts the app into three main tabs (Highlights, Controls, and Location), there's also a laundry list of new features coming to Family Link. Since safety is a huge part of what makes the app appealing, features such as notification alerts when a device arrives at a specific destination (like school or a friend's house) and the ability to see an individual device's battery life are new additions that give parents peace of mind when their kids leave the house.

Mobile

Google wants to kill your passwords on Android and Chrome with passkeys

Google passkeys on Android

Google is building out passkey support into Android, though you won't be able to use it yet without some tinkering. The search giant shared that it would be making the password-killing feature available for testing today for users on Google Play Services Beta or Chrome Canary, with general availability coming later in the year. Aside from Android and Chrome devices, passkeys also became available earlier with Safari on iOS 16 and macOS Ventura.

Passkeys are essentially intended to be a replacement for passwords. Rather than having to maintain an alphanumeric pattern for a particular site, however, they'll be using the device you most likely have in your hand. By leveraging fingerprint or facial recognition support, or even pins, any operating system that supports passkeys will use your device to create a private key that interfaces with a service's public key. Both keys combined will be your passkey. You can use passkeys alongside passwords, or in lieu of them. They'll be stored on your device's password manager, including Google's own Password Manager and iCloud's KeyChain.

Mobile

Google is paying a historic $85 million fine after illegally tracking Android phones

Google will be paying Arizona $85 million in a settlement over a 2020 lawsuit that claimed the company was illegally tracking Android users for targeted advertising.

According to a report from Bloomberg, Attorney General Mark Brnovich filed a lawsuit in May 2020 claiming that Google violated the state's Consumer Fraud Act by gathering location data from Android users, even after people turned off their location settings. At the time, Google's own employees were confused about its privacy controls, admitting that it could use some fine-tuning so that when users deny the company permission to track their data, it has to respect their decision.