by Ecular Xu and Grey Guo
We have been seeing attacks that spy on and steal data from specific targets on the mobile platform since late 2017. We discovered the malicious apps victimizing Android users in India, and believe a hacking group—one previously known for victimizing government officials—carried out the attacks. We identified these malicious apps as PoriewSpy (detected by Trend Micro as ANDROIDOS_PORIEWSPY.HRX). We also suspect that the group used malicious apps built using DroidJack or SandroRAT (detected as ANDROIDOS_SANRAT.A), based on similarities in their command-and-control (C&C) server. DroidJack is a remote access Trojan (RAT) that allows intruders to take full control of a user’s Android device when installed.
The operators behind these malicious apps might be related to a suspected cyberespionage group discovered in 2016, but it’s possible that the group may be launching different attacks unrelated to their previous campaign.
PoriewSpy turns device into an audio recorder, steals other device info
Existing as far back as 2014, PoriewSpy steals sensitive information from victims’ devices such as SMS, call logs, contacts, location, and SD card file list. It can also record victims’ voice calls. The malware was developed from an open-source project called android-swipe-image-viewer, or Android Image Viewer, which the malware operator/s modified to add the following components:
|android.permission.INTERNET||Allows applications to open network sockets|
|android.permission.RECORD_AUDIO||Allows applications to record audio|
|android.permission.ACCESS_NETWORK_STATE||Allows applications to access information about networks|
|android.permission.READ_SMS||Allows applications to read SMS messages|
|android.permission.READ_LOGS||Allows applications to read the low-level system log files|
|android.permission.GET_ACCOUNTS||Allows access to the list of accounts in the Accounts Service|
|android.permission.READ_CONTACTS||Allows applications to read the user’s contacts data|
|android.permission.READ_CALL_LOG||Allows applications to read the user’s call log.|
|android.permission.READ_PHONE_STATE||Allows read only access to phone state|
|android.permission.WRITE_EXTERNAL_STORAGE||Allows applications to write to external storage.|
|android.permission.READ_EXTERNAL_STORAGE||Allows applications to read from external storage.|
|android.permission.RECEIVE_BOOT_COMPLETED||Allows applications to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting|
|android.permission.BATTERY_STATS||Allows applications to collect battery statistics|
|aandroid.permission.ACCESS_FINE_LOCATION||Allows applications to access fine(e.g., GPS) location|
|android.permission.ACCESS_WIFI_STATE||Allows applications to access information about Wi-Fi networks|
|android.permission.ACCESS_COARSE_LOCATION||Allows applications to access coarse (e.g., Cell-ID, WiFi) location|
|android.permission.ACCESS_MOCK_LOCATION||Allows applications to create mock location providers for testing|
|android.permission.CHANGE_NETWORK_STATE||Allows applications to change network connectivity state|
|android.permission.CHANGE_WIFI_STATE||Allows applications to change Wi-Fi connectivity state|
Figure 1. Permissions added by the malware author/s to the modified Android Image Viewer
|AudioRecord||Main espionage component|
|LogService||For log collection|
|OnBootReceiver||Auto start after device reboot|
|BatteryReciever||For device power connect action|
|CallBroadcastReceiver||Handle Call actions|
|NetworkChangeReceiver||Handle device network actions|
|CameraEventReciver||Handle Camera related actions|
Figure 2. Services and receivers added by the malware author/s to the modified Android Image Viewer
PoriewSpy apps were automatically downloaded from malicious websites visited by users. When the malicious app is launched, it will initially show nude photos of an Indian actress, but will later hide its icon to obscure itself from users’ sight. When the user calls using an infected device, the malware will start recording the audio, which it saves to /sdcard/.googleplay.security/ named as “_VoiceCall_” + currentTime. It can also turn the mobile device into an audio recorder to timely record audio every 60 seconds even when the user is not having a phone call.
Figure 3. Code snippet of malware performing offline audio recording on user device
Apart from secretly recording audio using the affected device, the malware can also write and steal contacts, SMS, call logs, and location information.
Figure 4. Code snippet of malware stealing contacts from user device
Figure 5. Code snippet of malware stealing SMS content from user device
Figure 6. Code snippet of malware stealing call logs from user device
Figure 7. Code snippet of malware accessing http://mylocation.org to steal the user device’s location related to its IP address. Note: the malware can still compromise the user even when they are outside India or South Asia.
Figure 8. Code snippet of malware stealing location information from user device through GPS or network
In our research, we also found a malicious app, named after an Indian model-actress, which bears similarities to the code of PoriewSpy apps. Created in 2014, we speculate that this is an earlier version of PoriewSpy that also shares the same C&C server with some of the latest ones. The malicious app is capable of stealing call logs, contacts, SMS, SD card file list, and audio recording.
Figure 9. Left: Configuration code of the seemingly earlier version of PoriewSpy. Right: Configuration code of the latest version of PoriewSpy.
Malicious apps developed using DroidJack
Apps built using DroidJack also appear to have been used by the hacking group behind PoriewSpy, based on the C&C servers they share. The operators disguised these DroidJack-built apps as freeCall, BatterySavor, Secure_Comm, and Nexus_Compatability.
The malicious apps are capable of obtaining all necessary permissions for an Android device’s main functions, including accessing, modifying, and executing calls, SMS, phonebook, camera, audio recorder, as well as enable or disable Wi-Fi connectivity.
The C&C servers of PoriewSpy and DroidJack-built apps
Some of PoriewSpy’s C&C servers were located at 5[.]189[.]137[.]8 and 5[.]189[.]145[.]248, while some of the DroidJack-built apps’ were at 93[.]104[.]213[.]217 and 88[.]150[.]227[.]71. Our research revealed that these four C&C servers were previously used by a hacking group who allegedly engaged in cyberespionage activities. The abused IPs 5[.]189[.]137[.]8, 5[.]189[.]145[.]248, and 93[.]104[.]213[.]217 can be traced back to a legitimate hosting service provider based in Germany. Meanwhile, 88[.]150[.]227[.]71’s is in the UK. 62[.]4[.]2[.]211, the C&C server of the initial version of PoriewSpy used by some of the latest versions, belongs to a service provider in France. The hacking group also used draagon[.]ddns[.]net, located in South Asia.
Figure 10. The chart above shows the connections between the C&C servers of PoriewSpy and DroidJack-built apps, and the suspected cyberespionage group. The green dots represent the current malicious samples. IPs colored in yellow are the ones used by the group in their previous campaign, while the ones in red are presumably the extension to the mobile platform.
The period PoriewSpy and DroidJack-built apps became active also appear to match that of the hacking group’s campaign. It was observed that the activities of the abovementioned mobile malware became active in late 2015 to early 2016, which was around the same period the hacking group’s campaign was also active.
Targeted attacks on mobile devices may be few compared to ones for desktops or PCs, but the discovery of PoriewSpy and other malicious apps that spy on the mobile platform should caution users of the threat that may come their way if their devices remain unsecured. Downloading only from legitimate app stores can prevent PoriewSpy and DroidJack-built apps from compromising your mobile device. It is also important to be aware of what apps are allowed to access, and to understand the risks before accepting any terms or granting certain permissions to apps.
End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ which is also available on Google Play. For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.
Trend Micro’s MARS covers Android and iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
We disclosed our findings to Google, who stated that none of the abovementioned malicious apps are on Google Play. Updates were made to Google Play Protect to defend against new and existing similar threats.
Indicators of Compromise (IOCs)
|SHA256||App Label||Package Name|