Pages

15.8.11

Warning out vs 'Google++' malware — Trend Micro

Google+ members using smartphones running Android 2.2 and lower, look out for that extra plus: a malware that eavesdrops on users' phone calls is using Google's social network Google+ as a cover.

But computer security firm Trend Micro noted the malware, which uses the Google+ icon to hide itself from the user, is installed as "Google++."

This malware uses the guise of Google+, Google’s recently released social network, in trying to hide itself from the user. All the above-mentioned services use the Google+ icon, and the app itself is installed under the name Google++," 

ANDROIDOS_NICKISPY.A and ANDROIDOS_NICKISPY.B, a kind of Android malware that records phone calls made from an infected device and sends it to a remote site.

This week we saw another has the same code structure as ANDROIDOS_NICKISPY.A, also does not display an icon in the device, and executes similar routines, save for some modifications.

Detected by Trend Micro products as ANDROID_NICKISPY.C, it uses the following services:
  • MainService
  • AlarmService
  • SocketService
  • GpsService
  • CallRecordService
  • CallLogService
  • UploadService
  • SmsService
  • ContactService
  • SmsControllerService
  • CommandExecutorService
  • RegisterService
  • CallsListenerService
  • KeyguardLockService
  • ScreenService
  • ManualLocalService
  • SyncContactService
  • LocationService
  • EnvRecordService
This malware uses the guise of Google+, Google’s recently released social network, in trying to hide itself from the user. All the above-mentioned services use the Google+ icon, and the app itself is installed under the name Google++.
















ANDROIDOS_NICKISPY.C is capable of collecting data from the device, data such as SMS messages, call logs, GPS location, and then uploads them to a certain URL through port 2018.

It is also capable of receiving commands through SMS. To do so, however, requires the sender to use the predefined “controller” number from the malware’s configuration file to send the message, as well as enter a password, for the command to be executed.

Listening In

Like other ANDROIDOS_NICKISPY variants, ANDROIDOS_NICKISPY.C also has the capability to record phone calls made from the infected device. However, the difference with this particular variant is that it has the capability to answer an incoming call automatically.
 The code suggests that the following criteria must be met before the malware answers the phone:
  1. The call must be from the number on the “controller” tag from its configuration file.
  2. The phone screen must be turned off.
Before answering the call, it puts the phone on silent mode, to prevent the target user from hearing it. It also hides the dial pad and sets the current screen to display the home page. However, during testing after the malware answered the phone, the screen went blank.

 






From the looks of it, the developer behind this app went for the more real-time kind of eavesdropping as well, apart from the one being used by ANDROIDOS_NICKISPY.A that involves the recording of the call.

This malicious Android app works only on Android 2.2 and below, since the MODIFY_PHONE_STATE permission was disabled in Android 2.3.

For ways on how to keep an Android device secured, users may check our ebook, 5 Simple Steps to Secure Your Android-Based Smartphones.