Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Last week, we reported on ANDROIDOS_NICKISPY.A and ANDROIDOS_NICKISPY.B, Android malware that recorded phone calls made from infected devices then sent stolen information to a remote site.

    This week, we saw another Android malware with the same code structure as ANDROIDOS_NICKISPY.A. Like the latter, this does not display an icon and executes similar routines, save for some modifications.

    Detected by Trend Micro products as ANDROIDOS_NICKISPY.C, it uses the following services:

    • MainService
    • AlarmService
    • SocketService
    • GpsService
    • CallRecordService
    • CallLogService
    • UploadService
    • SmsService
    • ContactService
    • SmsControllerService
    • CommandExecutorService
    • RegisterService
    • CallsListenerService
    • KeyguardLockService
    • ScreenService
    • ManualLocalService
    • SyncContactService
    • LocationService
    • EnvRecordService

    This malware comes in the guise of Google+, Google’s most recent foray into the social networking scene, in an attempt to hide from affected users. All the above-mentioned services use the Google+ icon. The app itself is installed using the name, Google++.

    Click for larger view Click for larger view

    ANDROIDOS_NICKISPY.C is capable of collecting data such as text messages, call logs, and GPS location from infected devices, which it then uploads to a certain URL through port 2018.

    It is also capable of receiving commands via text messages. To do so, however, it requires the sender to use the predefined “controller” number from the malware’s configuration file to send a message as well as to enter a password to execute the command.

    Listening In

    Like other ANDROIDOS_NICKISPY variants, ANDROIDOS_NICKISPY.C also has the capability to record phone calls made from infected devices. What makes this particular variant different is that it has the capability to automatically answer incoming calls.

    Click for larger view

    The code suggests that the following criteria must be met before the malware can answer a phone call:

    1. The call must come from the number on the “controller” tag from its configuration file.
    2. The phone screen must be turned off.

    Before answering the call, it puts the phone on silent mode to prevent the affected user from hearing it. It also hides the dial pad and sets the current screen to display the home page. During testing, after the malware answered the phone, the screen went blank.

    Click for larger view Click for larger view

    From the looks of it, the developer of this app went for the more real-time kind of eavesdropping as well, apart from the one ANDROIDOS_NICKISPY.A used, which involved recording calls.

    The “auto-answering” function of this malicious Android app works only on Android 2.2 and below since the MODIFY_PHONE_STATE permission was disabled in Android 2.3.

    For ways to keep your Android-based devices secure, check out our e-book, “5 Simple Steps to Secure Your Android-Based Smartphones.”

    Additional analysis by Julius Dizon and Kervin Alintanahin

    Related blog entries here:

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice