More and more spying tools are being sold in app stores, specifically those catering to Android users. One of those that has gotten some attention from the media goes beyond the typical routines of known spying tools, which include text message forwarding and GPS information transfer. In addition to the said routines, this particular spying tool records phone calls made from infected devices.
Unlike the other Android malware that pose as legitimate apps, this uses a social engineering hook. It publishes its routines and promotes itself as a spying tool that users can use through a certain Chinese third-party app store.
We have analyzed a couple of samples of this app, which we now detect as ANDROIDOS_NICKISPY.A and ANDROIDOS_NICKISPY.B.
ANDROIDOS_NICKISPY.B appears to be an updated version of ANDROIDOS_NICKISPY.A, as the two essentially have the same routines, except for a few differences. For example, ANDROID_NICKISPY.A sends the IMEI number of the infected device to a hardcoded number while ANDROIDOS_NICKISPY.B doesn’t. On the other hand, unlike ANDROID_NICKISPY.A, ANDROID_NICKISPY.B displays an icon, as shown in Figure 1 below. Once the user tries to access the app through the icon, it displays a warning to the user and states the routines that it will perform.
At this point, the user has the option to execute the app or to terminate it. Choosing to execute the app displays a notification while terminating it, rightfully so, stops the app and the services it starts. It should, however, be noted that the app automatically executes whenever the device is rebooted.
The app basically collects the GPS location of the affected users, gathers all of the messages found in the device’s inbox and outbox, and records all of the calls made via the device. The GPS location information and messages are then sent to a certain remote site using port 2018. The recorded phone calls, on the other hand, are saved in a directory located in the device’s memory card before these are uploaded to the remote site.
Other spying tools we’ve encountered require the user to configure the settings where the information gathered will be uploaded for later access. This particular app does not require such settings and the information collected (i.e., text messages and GPS location data) is uploaded to a server that the user cannot access. In addition, the recorded phone calls are deleted from the device once these are uploaded to the same server.
We suspect that either the app’s creator has not yet set the “information retrieval” mechanism for it or the app is only designed to steal information from mobile phones.
This is definitely not the first spying tool we’ve seen being offered in an app store. In fact, we also detect similar tools being offered in the Android Market. We do so to protect customers from apps designed to spy on them and to steal their personal information, especially since such apps tend to have vague EULAs, allowing these to do more than they disclose. That said, we strongly advise users against using such tools.
Updated August 7, 2011, 8:23 PM, PST to add screenshots of saved call record, as well as packet capture of the record being uploaded to a remote site.