Security researchers at Trend Micro have discovered a new mobile malware application on Android that disguises itself as a Google+ app. The app has the capability to record phone calls, as well as gather the GPS location of the handset, the text messages and the call logs, all of which are sent off to remote servers.
The app installs itself on Android devices under the guise of being a Google+ application, using the Google+ icon to disguise itself in both the Android applications list and the list running services.
The malware is a variant of the previously-discovered ANDROIDOS_NICKISPY.A and .B, as it uses the same code structure found within those applications. This particular variant is being called ANDROIDOS_NICISPY.C.
In this case, at least, it does not appear that the malware is particularly widespread, as it is not listed in the Android Market. The app only appears to be installed on users’ handsets who unknowingly visit a malicious website. And removal is as simple as uninstalling the app.
What’s interesting here is how quickly malware authors have used the hype about Google’s new social network to their advantage. Not even 2 months old, and Google+ is already being used as the cover for mobile malware.
In addition to recording calls and gathering personal data from the device, the malware is also able to receive commands via text message, explains Trend Micro threat analyst Mark Balanza. To do so, it requires the sender to use the predefined “controller” number from the app’s configuration file in order to execute any commands.
But what makes this malware particularly unique, says Balanza, is its ability to record incoming phone calls automatically, something which the other variants did not. In order to answer calls, the phone’s screen must be turned off and the call has to come from a certain phone number in the app’s configuration file. Before answering, the app puts the phone in silent mode and hides the dial pad. And when the phone call is connected, the screen goes blank.
It’s important to note that the “auto-answering” feature of the malware can only affect phones running Android versions 2.2 and below, as the MODIFY_PHONE_STATE permission was disabled in Android 2.3. This, again, is another very good example as to why manufacturers and carriers should not hold back Android OS updates from being pushed down to consumers’ devices.
The Android operating system is increasingly the target for malware such as this, security firm Lookout reported earlier this month. Android users are two-and-a-half times more likely to encounter malware today than just 6 months ago. And half a million to one million users have been affected by Android malware this year alone. While this individual app may only be a minor threat, when combined with all the others over the course of many months, the malware threat is becoming a concern for Android users, developers, carriers and OEMs alike.