CallerSpy Android Malware Advertised as Chat App Steals Call Logs, SMS, Contacts & Files on the Infected Device

Researchers observed a new malware family in May involved in various cyberespionage campaigns advertised as a chat app dubbed “Chatrious” downloaded from the malicious website by clicking the download button on the site.

The campaign back in action again with a different app called “Apex App”, that steals the user’s infection on the affected device. Trend Micro detected the threat as AndroidOS_CallerSpy.HRX.

Two malicious apps

CallerSpy Malware Distribution

CallerSpy distributed as a chat app when the app launched in the victim device connects with the C&C server via Socket.IO and to monitor commands from the C&C server. Also, it schedules new tasks by using Evernote for stealing information.

malware functions

The malware is capable of stealing various information such as call logs, SMSs, contacts, and files on the device. It also takes screenshots of the infected device and later sends it to the C&C server.

According to Trend Micro research “The malware creates a local storage on the infected device and they will be uploaded to the C&C server periodically, it looks for the following file formats in the infected device that includes jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.”

All the collected data encoded as Base64 and the data uploaded to the C&C server. To trick the users the threat actors used typo squatted domain gooogle[.]press.

Researchers able to find four C&C IP addresses hosted on the legitimate service and they are connected with port 3000. The malicious app doesn’t provide any user interface (UI) and it uses only the default android app icon labeled as the rat.

Available forms

The download section of the malicious page provides options to download the app indicating Apple, Android and Windows platforms. But now the app supports only for the Android device.

The good news is that the app is not available to download from the play store and the victims of the malware are still unclear.

Also Read: StrandHogg – Hackers Aggressively Exploiting New Unpatched Android OS Vulnerability in Wide Using Malware

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

1 day ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

3 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

3 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago