The Latest in IT Security

Android Malware Eavesdrops on Users, Uses Google+ as Disguise


Last week, we reported about ANDROIDOS_NICKISPY.A and ANDROIDOS_NICKISPY.B, a kind of Android malware that records phone calls made from an infected device and sends it to a remote site.

This week we saw another has the same code structure as ANDROIDOS_NICKISPY.A, also does not display an icon in the device, and executes similar routines, save for some modifications.

Detected by Trend Micro products as ANDROID_NICKISPY.C, it uses the following services:

  • MainService
  • AlarmService
  • SocketService
  • GpsService
  • CallRecordService
  • CallLogService
  • UploadService
  • SmsService
  • ContactService
  • SmsControllerService
  • CommandExecutorService
  • RegisterService
  • CallsListenerService
  • KeyguardLockService
  • ScreenService
  • ManualLocalService
  • SyncContactService
  • LocationService
  • EnvRecordService

This malware uses the guise of Google+, Google’s recently released social network, in trying to hide itself from the user. All the above-mentioned services use the Google+ icon, and the app itself is installed under the name Google++.


Click for larger view
Click for larger view


ANDROIDOS_NICKISPY.C is capable of collecting data from the device, data such as SMS messages, call logs, GPS location, and then uploads them to a certain URL through port 2018.

It is also capable of receiving commands through SMS. To do so, however, requires the sender to use the predefined “controller” number from the malware’s configuration file to send the message, as well as enter a password, for the command to be executed.

Listening In

Like other ANDROIDOS_NICKISPY variants, ANDROIDOS_NICKISPY.C also has the capability to record phone calls made from the infected device. However, the difference with this particular variant is that it has the capability to answer an incoming call automatically.

Click for larger view
The code suggests that the following criteria must be met before the malware answers the phone:

  1. The call must be from the number on the “controller” tag from its configuration file.
  2. The phone must be turned off.

Before answering the call, it puts the phone on silent mode, to prevent the target user from hearing it. It also hides the dial pad and sets the current screen to display the home page.


Click for larger view
Click for larger view


From the looks of it, the developer behind this app went for the more real-time kind of eavesdropping as well, apart from the one being used by ANDROIDOS_NICKISPY.A that involves the recording of the call.

This malicious Android app works only on Android 2.2 and below, since the MODIFY_PHONE_STATE permission was disabled in Android 2.3.

For ways on how to keep an Android device secured, users may check our ebook, 5 Simple Steps to Secure Your Android-Based Smartphones.

Additional analysis by Julius Dizon and Kervin Alintanahin.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments