October 3, 2014

Many modern malicious programs for handhelds are designed to steal information and spy on their owners. A recently discovered Trojan for Android has been designed particularly for this purpose. Yet it differs from other similar threats in terms of its payload as well as by the fact that it targets a particular group of people whom criminals want to track. Doctor Web's security researchers examined this malicious program, dubbed Android.SpyHK.1.originunder the Dr.Web classification system.

This new Android threat is being distributed among Hong Kong protesters demanding more democratic elections. The malware has gotten onto the protesters' devices in the guise of a program that coordinates their protest activities, so most of them wouldn't suspect it to be malware.

After its launch, Android.SpyHK.1.origin establishes a connection with a command and control server, to which it uploads a large amount of information about the infected device (for example, the operating system version, phone number, the IMEI, and hardware specifications) and stands by for further instructions from the intruders. The Trojan is heavily loaded with various features and, depending on which directive it receives, it can perform the following tasks:

• Read the contents of a specified directory (names, size, and last modified dates for files and folders in the directory).
• Acquire the device's GPS coordinates.
• Add an entry to the log file.
• Output a message with a specified text on the screen.
• Call a specified number.
• Gather information about the device.
• Execute a specified shell-script.
• Get an extended contact list (including names, phone numbers and email addresses).
• Gain access to the SMS correspondence.
• Get the call history.
• Add specific phone numbers to the list of individuals being eavesdropped on.
• Obtain the current list of individuals being eavesdropped on.
• Download a file from a designated web address.
• Delete a specified file from the device;
• Upload a specified file to the command and control server.
• Activate the voice recorder after a specified time interval.
• Activate voice recording and simultaneously stream the recording onto the server's socket.
• Stop voice recording.
• Upload the mail database of the default mail client onto the server.
• Acquire browsing history.
• Send information about files and directories found on the SD card to the command and control server.
• Execute multiple commands to gather sensitive information and send it to the server.

Android.SpyHK.1.origin has certain features that distinguish it from other Trojan spies. In particular, to determine the GPS location of an infected Android handheld, the Trojan exploits a known vulnerability of the power control widget and, thus, can bypass the global system settings and activate certain features of the mobile device. Despite the fact that this vulnerability was fixed in 2011, some users have reported on its re-emergence in recent versions of the operating system. Thus, in some cases, Android.SpyHK.1.origin theoretically can activate the GPS receiver of an infected smart phone or tablet, even if the owner has disabled this feature in the settings.

In addition, the capability to stream voice recordings to the server's socket enables the intruders to listen in on phone calls in real time. This feature serves as an alternative to covert phone calls. While the transfer of data over a cellular network can be blocked by law enforcement agencies, Wi-Fi hotspots can still be nearby, so criminals have a chance to acquire the information they need. Moreover, a large portion of the information collected is transmitted directly to the socket on the remote server, and— provided that the latter is powerful enough—the intruders can obtain current information about the situation at the location of the infected Android devices in real time by turning the compromised smart phones and tablets into a powerful surveillance network.

This indicates that the intruders are carrying out a well-planned, targeted attack aimed at acquiring information about the protesters in Hong Kong and about their future actions. Similar programs can be put to use anywhere in the world, so owners of mobile devices should exercise caution and refrain from installing suspicious applications onto their handhelds.

The Trojan's definition has been added to the virus databases, so Android.SpyHK.1.origin poses no threat to devices running Dr.Web for Android and Dr.Web for Android Light.

Learn more about this threat