Filtered By: Scitech
SciTech

Warning out vs 'Google++' malware — Trend Micro


Google+ members using smartphones running Android 2.2 and lower, look out for that extra plus: a malware that eavesdrops on users' phone calls is using Google's social network Google+ as a cover. But computer security firm Trend Micro noted the malware, which uses the Google+ icon to hide itself from the user, is installed as "Google++." "This malware uses the guise of Google+, Google’s recently released social network, in trying to hide itself from the user. All the above-mentioned services use the Google+ icon, and the app itself is installed under the name Google++," Trend Micro threats analyst Mark Balanza said in a blog post (http://blog.trendmicro.com/android-malware-eavesdrops-on-users-uses-google-as-disguise/). Balanza said the malware, detected as ANDROID_NICKISPY.C, is similar to earlier malware ANDROIDOS_NICKISPY.A and ANDROIDOS_NICKISPY.B, which record phone calls made from an infected device and send it to a remote site. He said the newest malware uses the following services:

    MainService AlarmService SocketService GpsService CallRecordService CallLogService UploadService SmsService ContactService SmsControllerService CommandExecutorService RegisterService CallsListenerService KeyguardLockService ScreenService ManualLocalService SyncContactService LocationService EnvRecordService
Balanza said ANDROIDOS_NICKISPY.C is capable of collecting data from the device, data such as SMS messages, call logs, GPS location, and then uploads them to a certain URL through port 2018. It is also capable of receiving commands through SMS, although the sender will have to use the predefined “controller" number from the malware’s configuration file to send the message, as well as enter a password, for the command to be executed. Answering incoming calls Aside from the ability to record phone calls from the infected device, ANDROIDOS_NICKISPY.C can also answer an incoming call automatically. But Trend Micro said the code suggests that the following criteria must be met before the malware answers the phone:
  • The call must be from the number on the “controller" tag from its configuration file.
  • The phone screen must be turned off.
"Before answering the call, it puts the phone on silent mode, to prevent the target user from hearing it. It also hides the dial pad and sets the current screen to display the home page," Balanza said. From the looks of it, the developer behind this app went for the more real-time kind of eavesdropping as well, apart from the one being used by ANDROIDOS_NICKISPY.A that involves the recording of the call. On the other hand, he said the malicious app works only on Android 2.2 and below, since the MODIFY_PHONE_STATE permission was disabled in Android 2.3. — TJD, GMA News
LOADING CONTENT