New Android Malware Called SpyDealer Discovered

A new strain of Malware affecting Android devices has been discovered and it’s hitting smartphones hard in Asia.

Researchers at Palo Alto Network discovered the malware named ‘SpyDealer’. It has been using a commercially available rooting app to exfiltrate data from 40 popular Android apps, including Facebook, WhatsApp, and Skype.

The threat can also extract a range of other information like contact details as well as being able to record calls made and the surrounding audio. The malware can also monitor user’s location and take control of the device’s camera.

SpyDealer does have the potential to be dangerous, but the researchers at Palo Alto have noted that SpyDealer is only effective against Android devices running versions older than 2.2 and 4.4.

This latest hack seems to be being introduced over wireless networks in China. Researchers at Palo Alto Wenjun Hu, Cong Zheng, and Zhi Xu said, “This represents approximately 25% of active Android devices worldwide. On devices running later versions of Android, it can still significant amounts of information, but it cannot take actions that require higher privileges.”

It’s worth noting that some of the more popular apps that are open to these attacks are Facebook, WhatsApp, Skype, and WeChat. There is also a large number of Chinese apps affected as well as internet browsers on devices like the Android Native Browser and Firefox.

If SpyDealer has made its way onto your device it will use a Baidu Easy Root to gain privileges and begins to mine data from your device. It’s currently known that the malware is not being distributed from the Google play store and its existence has also been reported.

SpyDealer has found to have affected more than 1000 devices currently, with most using an app named ‘GoogleService’ or ‘GoogleUpdate’ to gain access.

The malware itself has been describing as still under development by experts and a full list of its currently known features are below:

• The ability to steal data from apps installed on the target’s smartphone, such as: WeChat, Facebook, WhatsApp, Skype, Line, Viber, QQ, Tango, Telegram, Sina Weibo, Tencent Weibo, Android Native Browser, Firefox Browser, Oupeng Browser, QQ Mail, NetEase Mail, Taobao, and Baidu Net Disk.

• The ability to abuse a legitimate Android feature (Accessibility Services) to messages from apps such as WeChat, Skype, Viber, and QQ.

• The ability to control the target’s phone via UDP, TCP and SMS channels

• The ability to take screenshots of the phone’s screen

• The ability to record audio and video by surreptitious phone calls

• The ability to take photos using the front and back cameras

• The ability to monitor the phone’s geo-location data

• Automatically answering incoming phone calls from a specific number

• Ability to collect smartphone details such as phone number, IMEI, IMSI, SMS, MMS, contacts, accounts, phone call history, location, and connected Wi-Fi information.

The first recorded invasion from SpyDealer was in October 2015. Since its most recent update in May 2017, there has been an increase in users affected and the Trojans features.

For more information see the report on SpyDealer for more details.

Constantly threatening to write a book, but always with a story to tell. Tom has a typical northern English soul. He may sound as mundane as Jon Snow, but at least he tries to articulate. Lover of video games, comics, geek pop culture and wishing he could play Dungeons & Dragons.
BeepWee