Monday, August 15, 2011

Android Malware Eavesdrops on Users, Uses Google+ as Disguise


Last week, we reported on ANDROIDOS_NICKISPY.A and ANDROIDOS_NICKISPY.B, Android malware thatrecorded phone calls made from infected devices then sent stolen information to a remote site.
This week, we saw another Android malware with the same code structure as ANDROIDOS_NICKISPY.A. Like the latter, this does not display an icon and executes similar routines, save for some modifications.
Detected by Trend Micro products as ANDROIDOS_NICKISPY.C, it uses the following services:

  • MainService
  • AlarmService
  • SocketService
  • GpsService
  • CallRecordService
  • CallLogService
  • UploadService
  • SmsService
  • ContactService
  • SmsControllerService
  • CommandExecutorService
  • RegisterService
  • CallsListenerService
  • KeyguardLockService
  • ScreenService
  • ManualLocalService
  • SyncContactService
  • LocationService
  • EnvRecordService
This malware comes in the guise of Google+, Google’s most recent foray into the social networking scene, in an attempt to hide from affected users. All the above-mentioned services use the Google+ icon. The app itself is installed using the name, Google++.

Click for larger viewClick for larger view
ANDROIDOS_NICKISPY.C is capable of collecting data such as text messages, call logs, and GPS location from infected devices, which it then uploads to a certain URL through port 2018.
It is also capable of receiving commands via text messages. To do so, however, it requires the sender to use the predefined “controller” number from the malware’s configuration file to send a message as well as to enter a password to execute the command.
Listening In
Like other ANDROIDOS_NICKISPY variants, ANDROIDOS_NICKISPY.C also has the capability to record phone calls made from infected devices. What makes this particular variant different is that it has the capability to automatically answer incoming calls.
Click for larger view
The code suggests that the following criteria must be met before the malware can answer a phone call:
  1. The call must come from the number on the “controller” tag from its configuration file.
  2. The phone screen must be turned off.
Before answering the call, it puts the phone on silent mode to prevent the affected user from hearing it. It also hides the dial pad and sets the current screen to display the home page. During testing, after the malware answered the phone, the screen went blank.
Click for larger viewClick for larger view
From the looks of it, the developer of this app went for the more real-time kind of eavesdropping as well, apart from the one ANDROIDOS_NICKISPY.A used, which involved recording calls.
The “auto-answering” function of this malicious Android app works only on Android 2.2 and below since theMODIFY_PHONE_STATE permission was disabled in Android 2.3.
For ways to keep your Android-based devices secure, check out our e-book, “5 Simple Steps to Secure YourAndroid-Based Smartphones.”
via :  TrendMicro

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes