A recently discovered Android Trojan can exfiltrate private data from more than 40 applications, Palo Alto Networks security researchers have discovered.
Dubbed SpyDealer, the malware is capable of stealing sensitive messages from communication apps using the Android accessibility service feature, and gains rooting privileges with the help of exploits from a commercial rooting app called Baidu Easy Root. It uses root privileges to maintain persistence on the compromised device.
According to Palo Alto Networks, the Trojan can remotely control the device via UDP, TCP and SMS channels. It can steal information from popular applications such as WeChat, Facebook, WhatsApp, Skype, Line, Viber, QQ, Tango, Telegram, Sina Weibo, Tencent Weibo, Android Native Browser, Firefox Browser, Oupeng Brower, QQ Mail, NetEase Mail, Taobao, and Baidu Net Disk.
Once the malware has compromised a device, it can harvest an exhaustive list of personal information, including phone number, IMEI, IMSI, SMS, MMS, contacts, accounts, phone call history, location, and connected Wi-Fi information. It can also answer incoming phone calls from a specific number, can record phone calls and the surrounding audio and video, can take photos with the device’s cameras, monitor location, and take screenshots.
Palo Alto Networks researchers couldn’t determine exactly how SpyDealer infects devices, but say that it isn’t distributed through the official Google Play store and that some users might have been infected via compromised wireless networks. The Trojan is only effective against Android 2.2 to 4.4 releases, given that these are the only versions the rooting tool it uses supports, meaning that it could potentially infect around 25% of all Android devices.
“On devices running later versions of Android, it can steal significant amounts of information, but it cannot take actions that require higher privileges,” the network security firm says.
The security researchers have captured 1,046 samples of SpyDealer and say that it is under active development, with three variants currently in the wild. The latest variant encrypts the content of configuration files and almost all constant strings in the code, and also packs a service to steal targeted apps’ messages.
The oldest Trojan sample is dated October 2015, which suggests the threat has been active for over a year and a half.
Once installed, the malware doesn’t show an application icon, but registers “two broadcast receivers to listen for events related to the device booting up and network connection status.” At the first launch, the malware retrieves configuration information (from a local asset that can be remotely updated) such as the IP address of a remote command and control (C&C) server, the actions it can take on mobile networks, and the actions allowed under a Wi-Fi network.
By registering a broadcast receiver with a higher priority than the default messaging app, SpyDealer can listen for commands via incoming SMS messages. It can also create a TCP server on the compromised device listening at port 39568, and can actively connect to the remote server to ask for commands through UDP or TCP.
“To remotely control the victim device, the malware implements three different C&C channels and supports more than 50 commands,” Palo Alto Networks said.