The malware was found bundled in an app called "System Update" that had to be installed outside of Google Play, the app store for Android devices.
Once installed by the user, the app hides and stealthily exfiltrates data from the victim's device to the operator's servers.
Researchers at mobile security firm Zimperium, which discovered the malicious app, said once the victim installs the malicious app, the malware communicates with the operator's Firebase server, used to remotely control the device.
The spyware can steal messages, contacts, device details, browser bookmarks and search history, record calls and ambient sound from the microphone, and take photos using the phone's cameras.
The malware tracks the victim's location, searches for document files and grabs copied data from the device's clipboard.
It hides from the victim and tries to evade capture by reducing how much network data it consumes by uploading thumbnails to the attacker's servers rather than the full image. The malware captures the most up-to-date data, including location and photos.