Overreliance on smartphones, both in out personal and professional lives, is a reality for many of us. These devices hold a lot of sensitive information – information that could be worth a lot to some people, especially if you are a high-positioned executive in a thriving business.
Researchers from mobile security outfit Skycure have recently analyzed a malicious app they found on an Android 6.0.1 device owned by a VP at a global technology company.
The name of the malicious package is “com.android.protect”, and it comes disguised as a Google Play Services app. It disables Samsung’s SPCM service in order to keep running, installs itself as a system package to prevent removal by the user (if it can get root access), and also hides itself from the launcher.
They don’t say how the malicious app – a piece of commercial spyware they dubbed Exaspy – found its way onto the victim’s phone, but chances are someone took advantage of the physical access they had to the device to do the dirty deed.
Once installed and run, the malware requests device admin rights, asks the licence number to be entered, hides itself (its presence can be revealed by dialing “11223344”), and finally asks to be granted root access (if the device is rooted).
The spyware is able to:
- Collect chats and messages sent and received via SMS, MMS, and popular email and IM apps (Gmanil, FB Messenger, Skype, WhatsApp, etc.)
- Record audio and telephone calls
- Collect pictures and take screenshots
- Collect contacts, browser histories, the contents of the calendar, and so on.
The stolen info is sent to a remote server operated by the attacker.
Spyware like this one is readily available for purchase by anyone for $15-$30 per month, per device. The potential damage, especially to businesses, is huge.
Mobile AV security solutions unfortunately do not offer fool-proof protection against these threats, so it’s also up to the users to keep themselves safe.
The usual advice of being careful what you download and not giving special permissions to apps that shouldn’t require them is valid here, but you can also regularly check Android’s Device Administrators list and disable components you don’t trust.
Elisha Eshed, Skycure’s security research team lead, also advises making it impossible for people who might have temporary access to your phone from meddling with it: “Set up PIN codes and fingerprint authentication, disable USB debugging, and make sure OEM Unlocking is turned off.”
Enterprise IT professionals looking to check whether this app has found its way into their organization can use the technical info provided at the end of this blog post.