Security researchers from Trend Micro discovered malicious apps that spies on and steal data from Android users. Malicious apps dubbed as PoriewSpy steals sensitive information from victims’ such as contacts, location, call logs, SMS, and files in SD cards.
Researchers believe these malicious apps were distributed by a hacking group that targets Indian Government officials before and they suspect these malicious built using DroidJack or SandroRAT based on C&C servers.
Attackers used open source projects android-swipe-image-viewer, or Android Image Viewer for malware development and they have added some additional components and the campaign targetting Android users in India.
Malicious Apps Distribution
PoriewSpy pushed automatically from the malicious websites that visited by users and these apps are named after Indian model-actress. Once launched it will turn your phone into an audio recorder.
Also Read Malicious Code in Kids Game Apps on Google Play Pushing Porn Ads – More than 60 Game Apps Infected
If the malicious apps launched it would initially show up with the nude photos of an Indian actress, but later it hides it app icon from user’s sight. Trend Micro published a detailed analysis report.
Services | |
AudioRecord | Main espionage component |
LogService | For log collection |
RecordService | Audio record |
“When the user calls using an infected device, the malware will start recording the audio, which it saves to /sdcard/ /.googleplay.security/ named as “_VoiceCall_” + currentTime. It can also turn the mobile device into an audio recorder to timely record audio every 60 seconds even when the user is not having a phone call”, Researchers said.
The malware not only records the audio, it is also capable of stealing contacts, SMS, call logs, and location information.
A hacking group behind PoriewSpy built a number of the malicious app using DroidJack and they are disguised as freeCall, BatterySavor, Secure_Comm, and Nexus_Compatability.“In our research, we also found a malicious app, named after an Indian model-actress, which bears similarities to the code of PoriewSpy apps. Created in 2014, we speculate that this is an earlier version of PoriewSpy that also shares the same C&C server with some of the latest ones”, Researchers said.
Command and Control Servers – PoriewSpy
C&C servers for PoriewSpy and DroidJack-built apps based in Germany, France, and the UK. Both of the malware campaigns became active in the same period of time.
C&C IP’s
5[.]189[.]137[.]8
5[.]189[.]145[.]248
93[.]104[.]213[.]217
88[.]150[.]227[.]71
62[.]4[.]2[.]211
draagon[.]ddns[.]net
Mitigations
- Give careful consideration to the permission asked for by applications.
- Download applications from trusted sources.
- Stay up with the latest version.
- Encrypt your devices.
- Make frequent backups of important data.
- Install anti-malware on their devices.
- Stay strict with CIA Cycle.