More and more spying tools are being sold in app stores, specifically those catering to Android users. One of those that has gotten some attention from the media goes beyond the typical routines of known spying tools, which include text message forwarding and GPS information transfer. In addition to the said routines, this particular spying tool records phone calls made from infected devices.
Unlike the other Android malware that pose as legitimate apps, this uses a social engineering hook. It publishes its routines and promotes itself as a spying tool that users can use through a certain Chinese third-party app store.
We have analyzed a couple of samples of this app, which we now detect as ANDROIDOS_NICKISPY.A and ANDROIDOS_NICKISPY.B.
ANDROIDOS_NICKISPY.B appears to be an updated version of ANDROIDOS_NICKISPY.A, as the two essentially have the same routines, except for a few differences. For example, ANDROID_NICKISPY.A sends the IMEI number of the infected device to a hardcoded number while ANDROIDOS_NICKISPY.B doesn’t. On the other hand, unlike ANDROID_NICKISPY.A, ANDROID_NICKISPY.B displays an icon, as shown in Figure 1 below. Once the user tries to access the app through the icon, it displays a warning to the user and states the routines that it will perform.