An advanced Android malware that is mainly impacting Asian users has been spotted that uses a commercially available rooting app to exfiltrate data from 40 popular Android apps, including Facebook, WhatsApp and Skype.
SpyDealer was discovered by Palo Alto Networks, and while it has the potential to be quite dangerous there are several mitigating factors that have helped limit the malware's impact. Palo Alto researchers noted it is only completely effective against devices running the older Android versions 2.2 and 4.4 and is primarily being distributed via wireless networks in China.
“This represents approximately 25% of active Android devices worldwide. On devices running later versions of Android, it can still significant amounts of information, but it cannot take actions that require higher privileges,” Palo Alto researchers Wenjun Hu, Cong Zheng and Zhi Xu blogged.
Some of the other more popular apps open to attack are: WeChat, Facebook, WhatsApp, Skype, Android Native Browser and Firefox Browser along with a large number of Chinese apps.
Palo Alto has notified Google which has created a defense against the malware through Google Play Protect.
If installed Palo Alto said the SpyDealer uses the Baidu Easy Root app to gain root privilege and persistence and begins mining data, including:
· Phone number, IMEI, IMSI, SMS, MMS, contacts, accounts, phone call history, location, and connected Wi-Fi information
· Automatically answer incoming phone calls from a specific number
· Remote control of the device via UDP, TCP and SMS channels
· Spy on the compromised user by recording the phone call and the surrounding audio and video, taking photos via both the front and rear camera, monitoring the compromised device's location and taking screenshots.
The research also showed the malware is being improved by its creators with three versions currently in the wild with the most recent update being pushed out in May 2017, but the first was done in October 2015.