Due to the growing popularity of smartphones running the Android OS, the smartphone market is seeing immense growth. Whenever a product attracts attention in a market, that item will be targeted by attackers making use of its popularity as an attack vector. We expect the threat landscape for Android malware will grow considerably in the days to come.
It has been a year since the release in the wild of the first Android malware (Android/FakePlayer.a). In 12 months this category has grown rapidly and includes some big names: Android/Geinimi, Android/DRAD, Android/DNightmare, and Android/HippoSMS.
The latest member of this queue is Android/NickiSpy. Until now, Android malware were written either to send an SMS to a premium number or to spy on the users’ locations. Android/NickiSpy stands out because of its ability to record user telephone conversations and store them in the SD card memory of the compromised user.
Analysis
Android/NickiSpy has many malicious payloads that we have already seen in other Android malware: monitoring call records and call types; getting the current location of the device; and retrieving the IMEI number, IP address, and port.
But one of the most interesting aspects of this malware is its ability to record outgoing and incoming calls made by the compromised phone. It also stores the conversations in .AMR (Adaptive Multi-Rate) format, a compression technology used for encoding audio files that are primarily speech based.
Once the malware is installed, it requests the following permissions from the user:
- Figure 1: Permission-request message from the app.
Among the permission requests, note the hardware controls permission it requires for recording the audio:
Figure 2: Permission request to record audio.
After installing the application and rebooting, the device will start the following services in the background:
Figure 3: Android/NickiSpy creates a service to record calls.
After installation, the malware drops a configuration file onto the phone. This file has all the information the app needs including the command server and port number through which it communicates.
Figure 4: The configuration file carries all the information the malware needs to communicate.
To trigger the payload of this malicious app, we used two emulators and called the other from a controlled environment. The malware recorded the conversation and stored it on the compromised phone’s SD card.
Figure 5: Calling from the mobile infected by the malicious app to other device.
The conversation was stored in /sdcard/shangzhou/callrecord/ on the SD card and in the format yyyyMMddHHmmss, which gives us “20110808120727.amr” for a call made on 08-Aug-2011 at 12.07 p.m.
Figure 6: Android/NickiSpy recorded the conversation and stored it on the SD card.
Figure 7: The recorded conversation pulled from the SD card.
The malware also retrieves the IMEI number of the compromised mobile device and sends that information to the mobile number “15859268161″
Here is the simple demonstration of Android/NickiSpy:
It’s clear that authors of Android malware see the platform as a fertile breeding ground. We expect to see much more growth in this area. McAfee products detect this malware in our latest DATs as Android/NickiSpy.
As always, users should never install unknown or untrusted software or applications on their mobile devices.