• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Mobile   »   Hacking Group Spies on Android Users in India Using PoriewSpy

Hacking Group Spies on Android Users in India Using PoriewSpy

  • Posted on:January 29, 2018 at 12:00 am
  • Posted in:Mobile, Targeted Attacks
  • Author:
    Mobile Threat Response Team
0

by Ecular Xu and Grey Guo

We have been seeing attacks that spy on and steal data from specific targets on the mobile platform since late 2017. We discovered the malicious apps victimizing Android users in India, and believe a hacking group—one previously known for victimizing government officials—carried out the attacks. We identified these malicious apps as PoriewSpy (detected by Trend Micro as ANDROIDOS_PORIEWSPY.HRX). We also suspect that the group used malicious apps built using DroidJack or SandroRAT (detected as ANDROIDOS_SANRAT.A), based on similarities in their command-and-control (C&C) server. DroidJack is a remote access Trojan (RAT) that allows intruders to take full control of a user’s Android device when installed.

The operators behind these malicious apps might be related to a suspected cyberespionage group discovered in 2016, but it’s possible that the group may be launching different attacks unrelated to their previous campaign.

PoriewSpy turns device into an audio recorder, steals other device info

Existing as far back as 2014, PoriewSpy steals sensitive information from victims’ devices such as SMS, call logs, contacts, location, and SD card file list. It can also record victims’ voice calls. The malware was developed from an open-source project called android-swipe-image-viewer, or Android Image Viewer, which the malware operator/s modified to add the following components:

Permissions
android.permission.INTERNET Allows applications to open network sockets
android.permission.RECORD_AUDIO Allows applications to record audio
android.permission.ACCESS_NETWORK_STATE Allows applications to access information about networks
android.permission.READ_SMS Allows applications to read SMS messages
android.permission.READ_LOGS Allows applications to read the low-level system log files
android.permission.GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
android.permission.READ_CONTACTS Allows applications to read the user’s contacts data
android.permission.READ_CALL_LOG Allows applications to read the user’s call log.
android.permission.READ_PHONE_STATE Allows read only access to phone state
android.permission.WRITE_EXTERNAL_STORAGE Allows applications to write to external storage.
android.permission.READ_EXTERNAL_STORAGE Allows applications to read from external storage.
android.permission.RECEIVE_BOOT_COMPLETED Allows applications to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting
android.permission.BATTERY_STATS Allows applications to collect battery statistics
aandroid.permission.ACCESS_FINE_LOCATION Allows applications to access fine(e.g., GPS) location
android.permission.ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
android.permission.ACCESS_COARSE_LOCATION Allows applications to access coarse (e.g., Cell-ID, WiFi) location
android.permission.ACCESS_MOCK_LOCATION Allows applications to create mock location providers for testing
android.permission.CHANGE_NETWORK_STATE Allows applications to change network connectivity state
android.permission.CHANGE_WIFI_STATE Allows applications to change Wi-Fi connectivity state

Figure 1. Permissions added by the malware author/s to the modified Android Image Viewer

Services
AudioRecord Main espionage component
LogService For log collection
RecordService Audio record
Receivers
OnBootReceiver Auto start after device reboot
BatteryReciever For device power connect action
CallBroadcastReceiver Handle Call actions
NetworkChangeReceiver Handle device network actions
CameraEventReciver Handle Camera related actions

Figure 2. Services and receivers added by the malware author/s to the modified Android Image Viewer

PoriewSpy apps were automatically downloaded from malicious websites visited by users. When the malicious app is launched, it will initially show nude photos of an Indian actress, but will later hide its icon to obscure itself from users’ sight. When the user calls using an infected device, the malware will start recording the audio, which it saves to /sdcard/.googleplay.security/ named as “_VoiceCall_” + currentTime. It can also turn the mobile device into an audio recorder to timely record audio every 60 seconds even when the user is not having a phone call.

Figure 3

Figure 3. Code snippet of malware performing offline audio recording on user device

Apart from secretly recording audio using the affected device, the malware can also write and steal contacts, SMS, call logs, and location information.

Figure 4

Figure 4. Code snippet of malware stealing contacts from user device

Figure 5

Figure 5. Code snippet of malware stealing SMS content from user device

Figure 6

Figure 6. Code snippet of malware stealing call logs from user device

Figure 7

Figure 7. Code snippet of malware accessing http://mylocation.org to steal the user device’s location related to its IP address. Note: the malware can still compromise the user even when they are outside India or South Asia.

Figure 8

Figure 8. Code snippet of malware stealing location information from user device through GPS or network

In our research, we also found a malicious app, named after an Indian model-actress, which bears similarities to the code of PoriewSpy apps. Created in 2014, we speculate that this is an earlier version of PoriewSpy that also shares the same C&C server with some of the latest ones. The malicious app is capable of stealing call logs, contacts, SMS, SD card file list, and audio recording.

Figure 9

Figure 9. Left: Configuration code of the seemingly earlier version of PoriewSpy. Right: Configuration code of the latest version of PoriewSpy.

Malicious apps developed using DroidJack

Apps built using DroidJack also appear to have been used by the hacking group behind PoriewSpy, based on the C&C servers they share. The operators disguised these DroidJack-built apps as freeCall, BatterySavor, Secure_Comm, and Nexus_Compatability.

The malicious apps are capable of obtaining all necessary permissions for an Android device’s main functions, including accessing, modifying, and executing calls, SMS, phonebook, camera, audio recorder, as well as enable or disable Wi-Fi connectivity.

The C&C servers of PoriewSpy and DroidJack-built apps

Some of PoriewSpy’s C&C servers were located at 5[.]189[.]137[.]8 and 5[.]189[.]145[.]248, while some of the DroidJack-built apps’ were at 93[.]104[.]213[.]217 and 88[.]150[.]227[.]71. Our research revealed that these four C&C servers were previously used by a hacking group who allegedly engaged in cyberespionage activities. The abused IPs 5[.]189[.]137[.]8, 5[.]189[.]145[.]248, and 93[.]104[.]213[.]217 can be traced back to a legitimate hosting service provider based in Germany. Meanwhile, 88[.]150[.]227[.]71’s is in the UK. 62[.]4[.]2[.]211, the C&C server of the initial version of PoriewSpy used by some of the latest versions, belongs to a service provider in France. The hacking group also used draagon[.]ddns[.]net, located in South Asia.

Figure 10

Figure 10. The chart above shows the connections between the C&C servers of PoriewSpy and DroidJack-built apps, and the suspected cyberespionage group. The green dots represent the current malicious samples. IPs colored in yellow are the ones used by the group in their previous campaign, while the ones in red are presumably the extension to the mobile platform.

The period PoriewSpy and DroidJack-built apps became active also appear to match that of the hacking group’s campaign. It was observed that the activities of the abovementioned mobile malware became active in late 2015 to early 2016, which was around the same period the hacking group’s campaign was also active.

Countermeasures

Targeted attacks on mobile devices may be few compared to ones for desktops or PCs, but the discovery of PoriewSpy and other malicious apps that spy on the mobile platform should caution users of the threat that may come their way if their devices remain unsecured. Downloading only from legitimate app stores can prevent PoriewSpy and DroidJack-built apps from compromising your mobile device. It is also important to be aware of what apps are allowed to access, and to understand the risks before accepting any terms or granting certain permissions to apps.

End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ which is also available on Google Play. For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

Trend Micro’s MARS covers Android and iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

We disclosed our findings to Google, who stated that none of the abovementioned malicious apps are on Google Play. Updates were made to Google Play Protect to defend against new and existing similar threats.

Indicators of Compromise (IOCs)

SHA256 App Label Package Name
cc84045618448e9684e43d5b9841aacedae94c2177862837c5a9e29c73716a90 com.google.security com.sqisland.android.swipe_image_viewer
34331ed1d919a1b3f6aeeb5ef7954b4101aabc54514d67611c26f284e459024d com.google.security com.sqisland.android.swipe_image_viewer
2eb74656d63c0998ad37cf5da7e2397ddbb5523ad6ee0ca9847fa27875d0420e com.google.security com.sqisland.anwdroid.sipe_image_viewer
230ddf07a868ccae369b891bc94a10efd928ff9c0c2fb2e44451e32167d2c2b7 com.google.security com.sqisland.android.swipe_image_viewer
6b2ef1b5fab6fcc4167d24c391120fb5a4d1cdf9d75ae16352219f1939007fcc com.google.security com.sqisland.android.swipe_image_viewer
43142a836aa0d29dfbd55b0e21bb272e4f34ffd15ccfb4424f1f8c3502b6ca7c com.google.security com.sqisland.android.swipe_image_viewer
26cc93bcc141262bbbbc66e592dde2e6805b4007ef35844a7ee0ebcd27f2aef4 freecallv3 net.droidjack.server
e6753bba53d7cca4a534c3089f24cd0546462667d110c0d48974f9e76714fe1c Nexus_Compatability net.droidjack.server
563ebffbcd81d41e3ddb7b6ed580a2b17a6a6e14ec6bf208c9c22d7a296de7ae Rabia_Secrets net.droidjack.server
46c91f72e63c0857c30c9fea71a3cabf24523b683a5e77348343940072fb7371 BatterySavor net.droidjack.server
8b64a32e386d7cc51bb761bee8959bb5cac20e79ae1e549b04b7354e67bdee66 Secure_Comm net.droidjack.server
f529ccdee54c53e4c02366713ec2d2e8ff629fe56b2f5778f9f7d31f809e4446 Sannia_Secrets.. net.droidjack.server
8d89c1e697fc1bc1c18156bd12b3b44efbf551dbe077af23e560a4516df06143 Shivali Rastogi com.poonam.panday

C&C servers

74[.]208[.]102[.]80
5[.]189[.]137[.]8
5[.]189[.]145[.]248
93[.]104[.]213[.]217
draagon[.]ddns[.]net
88[.]150[.]227[.]71
62[.]4[.]2[.]211
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: PoriewSpy

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • (Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing
  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.