Trend Micro uncovered how cybercriminals may profit from NICKISPY variants. A Chinese website offers mobile phone monitoring tools and services to customers who are given access to the site’s backend to retrieve information. However, such services are not cheap and can cost from US$300–540.
We’ve been reporting about several NICKISPY variants—Android malware that can monitor a mobile phone user’s activities and whereabouts like SMS, phone calls, and location—here on the Malware Blog and we’ve been curious as to how cybercriminals use private information and earn money from stealing it.
Now, we have a clear example. We found a Chinese website that offers a mobile phone monitoring service. Once a customer decides to employ the service, he/she gets an account to log in to a backend server of the service, from which information gathered from a target device can be viewed.
The backend service can be accessed through a portal where the user must first send an MMS that includes malware as an attachment to a victim’s mobile phone number. The malware, once installed on the victim’s mobile phone, will be used to monitor information related to SMS, phone calls, device location, and email messages. Reports are then sent back to the backend service, which can then be accessed by the customer through the portal.
Here is the configuration page of the backend server’s portal:
The Remote Receiver Phone Number filed is the phone number that will receive the reports sent by the service, which contains new activity information from the monitored phone. Note that the customer may choose which number will be displayed as the sender of the MMS. Using a number that the victim is familiar with may convince him/her that he/she is receiving a normal MMS and be completely unaware that a malware was already installed in his/her device.