SpyDealer: Android Trojan Spying on More Than 40 Apps

Researchers at Palo Alta have discovered an app called SpyDealer that can listen in on more than 40 apps.  The researchers haven’t figures out yet how it uses the information, but it is a big deal either way.

SpyDealer is capable of doing the following:

  • Exfiltrate private data from more than 40 popular apps including: WeChat, Facebook, WhatsApp, Skype, Line, Viber, QQ, Tango, Telegram, Sina Weibo, Tencent Weibo, Android Native Browser, Firefox Browser, Oupeng Brower, QQ Mail, NetEase Mail, Taobao, and Baidu Net Disk
  • Abuses the Android Accessibility Service feature to steal sensitive messages from popular communication and social apps such as WeChat, Skype, Viber, QQ
  • Takes advantage of the commercial rooting app “Baidu Easy Root” to gain root privilege and maintain persistence on the compromised device
  • Harvests an exhaustive list of personal information including phone number, IMEI, IMSI, SMS, MMS, contacts, accounts, phone call history, location, and connected Wi-Fi information
  • Automatically answer incoming phone calls from a specific number
  • Remote control of the device via UDP, TCP and SMS channels
  • Spy on the compromised user by:
    • Recording the phone call and the surrounding audio & video.
    • Taking photos via both the front and rear camera
    • Monitoring the compromised device’s location
    • Taking screenshots

Here are many factors that help mitigate the risk to most users:

  • As far as we know, SpyDealer has not been distributed through the Google Play store
  • We do not know exactly how devices are initially infected with SpyDealer, but have seen evidence to suggest Chinese users becoming infected through compromised wireless networks.
  • We have reported information on this threat to Google, and they have created protections through Google Play Protect.
  • SpyDealer is only completely effective against Android devices running versions between 2.2 and 4.4, as the rooting tool it uses only supports those versions. This represents approximately 25% of active Android devices worldwide. On devices running later versions of Android, it can still significant amounts of information, but it cannot take actions that require higher privileges.

Since the extremely complex nature of this app has been reported, it should protect most people. Remember to always download authorized apps through Google Play Services or other trusted locations.

All of the servers, but one in the USA, that SpyDealer reports back to are located in China.

Click here for the full article. They have done a very detailed job of identifying the malicious app and it’s properties.

Kevin Button

Kevin is a BlackBerry enthusiast and is known to be shouting it from the tops of mountains.