Saturday, November 2, 2024
HomeAndroidCallerSpy Android Malware Advertised as Chat App Steals Call Logs, SMS, Contacts...

CallerSpy Android Malware Advertised as Chat App Steals Call Logs, SMS, Contacts & Files on the Infected Device

Published on

Malware protection

Researchers observed a new malware family in May involved in various cyberespionage campaigns advertised as a chat app dubbed “Chatrious” downloaded from the malicious website by clicking the download button on the site.

The campaign back in action again with a different app called “Apex App”, that steals the user’s infection on the affected device. Trend Micro detected the threat as AndroidOS_CallerSpy.HRX.

CallerSpy
Two malicious apps

CallerSpy Malware Distribution

CallerSpy distributed as a chat app when the app launched in the victim device connects with the C&C server via Socket.IO and to monitor commands from the C&C server. Also, it schedules new tasks by using Evernote for stealing information.

- Advertisement - SIEM as a Service
CallerSpy commands
malware functions

The malware is capable of stealing various information such as call logs, SMSs, contacts, and files on the device. It also takes screenshots of the infected device and later sends it to the C&C server.

According to Trend Micro research “The malware creates a local storage on the infected device and they will be uploaded to the C&C server periodically, it looks for the following file formats in the infected device that includes jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.”

All the collected data encoded as Base64 and the data uploaded to the C&C server. To trick the users the threat actors used typo squatted domain gooogle[.]press.

Researchers able to find four C&C IP addresses hosted on the legitimate service and they are connected with port 3000. The malicious app doesn’t provide any user interface (UI) and it uses only the default android app icon labeled as the rat.

Available forms

The download section of the malicious page provides options to download the app indicating Apple, Android and Windows platforms. But now the app supports only for the Android device.

The good news is that the app is not available to download from the play store and the victims of the malware are still unclear.

Also Read: StrandHogg – Hackers Aggressively Exploiting New Unpatched Android OS Vulnerability in Wide Using Malware

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...