SpyDealer Android malware steals data from Facebook, Skype, other apps

News by Rene Millman

Highly sophisticated SpyDealer malware attacks Android operating systems and can exfiltrate data from a range of popular apps.

Malware targeting Android devices has been discovered exfiltrating data from over 40 apps including Facebook, WhatsApp, Skype and others.

Researchers at Palo Alto Networks said that the malware, dubbed SpyDealer, harvests personal information including phone numbers, IMEI, IMSI, SMS, MMS, contacts, accounts, phone call history, location and connected Wi-Fi information. It can also track a device's location and record images and audio.

It can also automatically answer incoming phone calls from a specific number and remote control a device via UDP, TCP and SMS channels. To remotely control the victim device, the malware implements three different C2 channels and support more than 50 commands.

The malware can root the device and maintains persistence using the Baidu Easy Root app.

The researchers said that as far as they know, SpyDealer has not been distributed through the Google Play store.

“We do not know exactly how devices are initially infected with SpyDealer, but have seen evidence to suggest Chinese users become infected through compromised wireless networks,” said Wenjun Hu, Cong Zheng and Zhi Xu in a blog post.

At present, the malware is only completely effective against Android devices running versions between 2.2 and 4.4, as the rooting tool it uses only supports those versions. This represents approximately 25 per cent of active Android devices worldwide. On devices running later versions of Android, it can still steal significant amounts of information, but it cannot take actions that require higher privileges.

The researchers said they had found over 1000 samples of the malware in the wild. Most of these samples use the app name “GoogleService” or “GoogleUpdate”. The most recent sample observed by researchers was created in May 2017 while the oldest sample dates back to October 2015.

Matthew Aldridge, solutions architect at Webroot, told SC Media UK that the malware  is designed for in-depth spying on the communications and activities of individuals and possibly targeted groups of users. 

“The intelligence that SpyDealer gathers could be used either by nation-state actors to pursue their goals, or by organised criminals. In either case, the possible outcomes for targeted infected users are manipulation, extortion, blackmail or even direct action by nation state officials,” he said.

He said the malware will not be easy to remove. “A full wipe of the device is recommended and where possible reinstallation of the latest firmware, then security software,” he said.

Javvad Malik, security advocate at AlienVault, told SC that it's a bit early to fully establish the true intent of the developers of this malware. “But being absent from the Play Store, it could be used to gain access to the information of targeted individuals as opposed to a mass attack,” he said.

“Organisations should maintain the latest version of Android, and where possible, monitor network traffic and educate users on dangers that are present and to restrict exchange of sensitive corporate data over potentially vulnerable apps.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews