CallerSpy can monitor calls, messages, take screenshots and records its surroundings, say researchers – who warn that it could be the early stages of a targeted cyber-espionage campaign.
A new form of mobile malware designed to snoop on calls, texts and other communications is targeting Android users by duping them into downloading a fake chat application.
The trojan malware, dubbed CallerSpy, has been discovered and detailed by cybersecurity researchers at Trend Micro, who believe the malware attacks are part of a cyber espionage campaign.
Smartphones are a particularly useful target for attackers with the goal of cyber espionage because, not only do the devices contain vast amounts of information, they’re also with the target the entire time.
Researchers initially uncovered the threat in May this year, after finding a fake Google web address advertising a chat app called Chatrious. However, shortly after being discovered, the page hosting the malicious Android application package (APK) file disappeared.
However, it returned in October, this time hosting a new malicious chat application called Apex App. Like Chatrious, this is a front for CallerSpy malware.
Despite being advertised as a chat application, the CallerSpy apps don’t contain any chat capabilities, but rather are what researchers describe as “riddled with espionage features”.
Once downloaded and launched, it will connect to a command-and-control server that the malware takes orders from as it goes about snooping on the device.
Malicious capabilities of CallerSpy include collecting all call logs, text messages, contact lists and files on the device, the ability to use the phone’s microphone to record audio of its surroundings, as well as being able to take screenshots of user activity. All of the stolen data is periodically uploaded to the crooks.
The malicious website hosting CallerSpy malware downloads is designed to look like Google, complete with copyright information – although a quick inspection of the URL shows the address has one more O in Google than there should be. But on some mobile browsers, this information won’t always be displayed or clear. The domain was registered in February, but there’s no clues as to who is responsible for setting it up.
Researchers believe whoever is behind it has set up the CallerSpy distribution page as the initial phase of a targeted cyber-espionage campaign – although it’s still unclear what the motive of the attacker is, or who they’re trying to target as there’s no indications of infections being discovered in the wild yet.
While there’s currently only evidence of CallerSpy being built to target Android, the download section of the website hosting the false chat app suggests there are also plans to distribute Apple and Windows versions, something that could indicate that a much bigger campaign is planned in future, with the attacker waiting for the right moment to spread the malware.
Researchers recommend installing security software on phones to protect against attacks – and users can go a long way to keeping themselves safe by being careful what they download and by ensuring their device is patched and up to date.
Trend Micro will continue to monitor the development of CallerSpy but in the meantime the current known Indicators of Compromise are available in their post analysing the malware.