Thousands of smartphones infected with 'spy' malware

News by Tim Ring

Tens of thousands of smartphone users have been hit by a new class of botnet that illicitly gathers information.

Tens of thousands of smartphone users have been hit by a new class of botnet that illicitly gathers information on their location, nearby hotspots and potentially the user's connection to their PC and home wireless network

The “XXXX.apk” malware has been revealed by Los Angeles-based cybercrime research firm IntelCrawler. The company says XXXX purports to gather information about the user's phone model, encryption method, password, use of WiFi networks and other technical data. But the malware also uses the phone as a “zombie” device to collect data about all nearby hotspots without authorisation.

IntelCrawler says the botnet has been found on 23,856 compromised smartphones – including the HTC Sensation and Amaze 4G, the Google Nexus, the Samsung GT I9300 and Galaxy Note II SCH-I605. It has also been found on the LG Motion 4G (MS770), Huawei U8665 and Alcatel One Touch.

In a briefing document sent to, IntelCrawler adds: “One aspect of the malware seems to detect the cellphone connection to the PC through USB, which could allow for its wireless detection work to be done without degrading the battery power. It also might be an avenue into the PC in the next generation of the malware.”

Company CEO Andrey Komarov warns: “Privacy in the modern world is a great challenge, you never know who is looking at you and why. Cellphone malware that can track your location, and possibly even sniff your home wireless network for a possible hack, poses a serious threat to everyone.”

Komarov added the purpose of the malware currently seems to be “intelligence gathering” rather than for criminal activities.

“Besides sending the data about wireless networks and extracted details about credentials of the user, geographical location and information about the compromised device, the malware doesn't perform any other harmful payload and sends it during the time when the battery is charging, which means that this software is used from an intelligence point of view.”

IntelCrawler says that the malware was distributed via fake mobile apps published on repositories such as Android Market. Each report sent is stored according to the device model and the email address of the victim, both of which are extracted from the mobile phone configuration.

The company adds: “The list of intercepted hotspots grabbed from compromised mobile devices is amazing – from restaurants, VIP lounges in the international airports and luxury hotels, to corporate wireless and SOHO networks, from peaceful citizens to government employees. One can only speculate the true intention of the malware and its possible threat potential.” Hotspot locations include China, the US, EU countries, Israel, India, Singapore and Russia.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews