Last week, we reported on ANDROIDOS_NICKISPY.A and ANDROIDOS_NICKISPY.B, Android malware that recorded phone calls made from infected devices then sent stolen information to a remote site.

This week, we saw another Android malware with the same code structure as ANDROIDOS_NICKISPY.A. Like the latter, this does not display an icon and executes similar routines, save for some modifications.

Detected by Trend Micro products as ANDROIDOS_NICKISPY.C, it uses the following services:

• MainService
• AlarmService
• SocketService
• GpsService
• CallRecordService
• CallLogService
• UploadService
• SmsService
• ContactService
• SmsControllerService
• CommandExecutorService
• RegisterService
• CallsListenerService
• KeyguardLockService
• ScreenService
• ManualLocalService
• SyncContactService
• LocationService
• EnvRecordService

This malware comes in the guise of Google+, Google’s most recent foray into the social networking scene, in an attempt to hide from affected users. All the above-mentioned services use the Google+ icon. The app itself is installed using the name, Google++.

ANDROIDOS_NICKISPY.C is capable of collecting data such as text messages, call logs, and GPS location from infected devices, which it then uploads to a certain URL through port 2018.

It is also capable of receiving commands via text messages. To do so, however, it requires the sender to use the predefined “controller” number from the malware’s configuration file to send a message as well as to enter a password to execute the command.

Listening In

Like other ANDROIDOS_NICKISPY variants, ANDROIDOS_NICKISPY.C also has the capability to record phone calls made from infected devices. What makes this particular variant different is that it has the capability to automatically answer incoming calls.

The code suggests that the following criteria must be met before the malware can answer a phone call:

1. The call must come from the number on the “controller” tag from its configuration file.
2. The phone screen must be turned off.

Before answering the call, it puts the phone on silent mode to prevent the affected user from hearing it. It also hides the dial pad and sets the current screen to display the home page. During testing, after the malware answered the phone, the screen went blank.

From the looks of it, the developer of this app went for the more real-time kind of eavesdropping as well, apart from the one ANDROIDOS_NICKISPY.A used, which involved recording calls.

The “auto-answering” function of this malicious Android app works only on Android 2.2 and below since the MODIFY_PHONE_STATE permission was disabled in Android 2.3.

For ways to keep your Android-based devices secure, check out our e-book, “5 Simple Steps to Secure Your Android-Based Smartphones.”

Additional analysis by Julius Dizon and Kervin Alintanahin

Related blog entries here:

• More Spying Tools Being Seen in Application Markets
• Is mobile malware really a problem?