Wednesday, November 6, 2024
HomeAndroidStalkerware - New Android Spyware Apps Remotely Gain Admin-level Access to Spy...

Stalkerware – New Android Spyware Apps Remotely Gain Admin-level Access to Spy Your Activities & Steal The Data

Published on

Malware protection

Researchers discovered a new wave of spyware apps named Stalkerware emerging in wide for the past few months that spies victims’ online activities and steal sensitive data from the infected devices.

Recently FTC warned that Retina-X developed and sold MobileSpy, PhoneSheriff and TeenShield shared sensitive information about your smartphone activities – such as call history, text messages, photos, GPS locations, and browser history.

Following this FTC report, a new set of Stalkerware apps emerging and spying the victim’s device by installing the spyware apps in victims’ devices without knowledge.

- Advertisement - SIEM as a Service

Attackers using various social engineering techniques to install spyware apps instead of physically access the device and also these spyware apps are capable of gaining the admin level privilege to steal the data and send it to the C2 server that controlled by the attackers.

These Stalkerware (stalking apps or spyware) apps are capable of performing various malicious activities such as, Stealing contacts, Spying on text messages, Stealing photos, Spying on browsing history, Spying on banking apps, Stealing GPS locations.

Spyware Apps That recently Found in Wide

Researchers from Zscaler observed several spyware apps in different names with sophisticated evasion techniques to bypass the Google Play Protect security framework.

Android Monitors

Dubbed Android Monitors app cleverly bypass the Play protect and act as a keylogger to log the user’s activities.

The app has various features and spies personal WhatsApp messages, Facebook chats, emails, banking activities, and much more.

Stalkerware
Android Monitor initial setup

Based on the appearance of the app, researchers believe that the app still under the development phase.

Package Name: com.ibm.fb
Hash : 97c6c8b961d57d4ebad47f5c63ec6446

Russ City

Dubbed Russ City with the package name of city.russ.alltrackercorp posed as a Thief hacker app and it has 3 similar samples that is capable of performing various malicious activities.

Stalkerware
Russ City Spyware icon
Spyware functionality in the manifest file.

This app performs various background services:

  • Read text messages
  • Get browser history
  • Fetch call logs
  • Get GPS location
  • Get clicked photos
  • Record audio
  • Record voice calls
  • Capture screenshots

Wi-Fi Settings

Another spyware app named as “Wi-Fi settings” portrays itself as a settings app for Wi-Fi and it installed as Update Settings wit persistent capability.

Stalkerware

According to Zscaler’s research, Once the initial setup is done, the attacker can enter his/her credentials and leave the rest on spyware. As soon as the spyware gets an internet connection, it starts sending the stolen data to a command & control (C&C) center/server. 

The Wifi settings stalkerware has a major flaw that the app sending all the stolen information over plain-text (unencrypted HTTP).

Plain text communication

Auto Forward 

The portrait as parental control apps to perform its spying activities with the name of Auto Froward.

“As soon as the spyware is installed, it displays itself as an app named Device. It asks for all available permissions necessary to spy”

Stalkerware

After the successful installation, it harvests the infected victim’s sensitive data and sends it to its command control server and also the attacker can easily view stolen data such as text messages, WhatsApp activities, GPS locations, photos, a list of installed apps, and so on. 

Remediations: (zscaler)

Smartphone users who suspect their privacy may have been compromised by such apps can consider following these steps: 

  • Use a legitimate antivirus app that is regularly updated
  • Try factory-resetting your device
  • Remove suspicious apps from device administrator list 
     ( settings –> security –> device administrators

IOCs 

Hash
97c6c8b961d57d4ebad47f5c63ec6446
b0e68b66a5ba47612f2a6a33b343503b
93e969ea1118a9d00be7f1c74b50fce9
b44a98af29b021ad5df4ac6cc38fecf5
d4ecbf666d17326deab49f75588e08b3
9eaf38020f898073af1a3ce34226c91f
ea1546f34a6cd517dcfec07861b7fb4f
5fbb1b497c5a86815e5e8cc092d09af0
10322c7dea57269d69a85699e0357f5f
3b388138584ad3168e745097d5aa4206
369a17a8e1031101f41cc31caac56b9c
ba63ae94bdec93abc144f3b628d151ad
8dab7a558f91e72e3edae8e20ee55c86
001209b1e2760f88f2bb4b68f159a473
33dcfd84589c6ccf00fa5a302cefd0fe
66dbd2d7614555440b657ae24527034a

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...

Hackers Using AV/EDR Bypass Tool From Cybercrime Forums To Bypass Endpoints

Researchers uncovered two previously unknown endpoints with older Cortex XDR agents that used to...

Hackers Created 100+ Fake Web Stores To Steal Millions Of Dollars From Customers

The Phish, 'n' Ships fraud operation leverages, compromised websites to redirect users to fake...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy...

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Researchers discovered a Russian-linked threat actor, UNC5812, utilizing a Telegram persona named "Civil Defense....