Android Trojan Gains Full Control

Monday, July 10, 2017 @ 06:07 PM gHale


A new type of malware can hit up to as much as one quarter of devices running the Android mobile operating system.

SpyDealer is the Trojan and once it infects an Android device, a hacker can do anything he or she wants, including spying on users and stealing personal data, said researchers at Palo Alto Networks.

RELATED STORIES
Mobile Ransomware Continues to Evolve
Botnet Switches Ransomware Brands
WannaCry Shuts Honda Plant
‘Hidden Cobra’ Warning Issued by Feds

While it’s not yet clear how it infects a device, SpyDealer does not end up bundled into Google Play Store apps, so it possibly enters through apps in third-party stores, the researchers said.

Once it compromises a device, SpyDealer attempts to gain root privileges with exploits in an app called Baidu Easy Root, which could basically provide attackers with full control. The Trojan supports remote controlling via UDP, TCP, and SMS, and can steal data from a wide variety of applications, including here WhatsApp, Facebook, Skype, Telegram, and Firefox.

SpyDealer can also extract personal information from the compromised Android device, including SMS conversations, phone numbers, accounts, call history, and even location. Attackers with remote control over the device can also take photos with the camera, record phone calls, take screenshots, and even listen to what’s happening near the phone.

Devices running Android version 2.2 and 4.4 end up fully exposed to SpyDealer, but newer versions of the operating system are also vulnerable, though not the same amount of data can be accessed because of the security improvements that are available, Palo Alto Networks researchers said. Actions that require higher privileges on newer Android versions are blocked, but security researchers said the malware can “steal significant amount of information.”

“As of June 2017, we have captured 1046 samples of SpyDealer,” researchers said. “Our analysis shows that SpyDealer is currently under active development. There are three versions of this malware currently in the wild, 1.9.1, 1.9.2 and 1.9.3. Starting from 1.9.3, content of configuration files and almost all constant strings in the code are encrypted or encoded. An accessibility service was also introduced in 1.9.3 to steal targeted apps’ messages. According to our dataset, most of these samples use the app name ‘GoogleService’ or ‘GoogleUpdate.’”



Leave a Reply

You must be logged in to post a comment.