The latest Nickispy variant can intercept incoming calls without the user's knowledge while sending call logs, text messages and other information to a remote server.
Android malware has been popping
up like clockwork this year, with increasingly sophisticated features and
The latest Android Trojan
variant masquerades as a Google+ application and can record phone calls, answer
incoming calls and execute remote commands sent to the handset via SMS (Short
Message Service) communications, Mark Balanza, a threats
analyst at Trend Micro
said Aug. 12. Known as ADROIDOS_NICKISPY.C, the Trojan displays a
Google+ icon on the handset and is installed under the name Google++.
Symantec detected a different version of
earlier this month that could record calls, but noted that the malicious
third-party would need to have physical access to the handset to retrieve the
recordings, according to Irfan Asrar, an analyst with Symantec Security
"What makes this
particular variant different is that it has the capability to automatically
answer incoming calls," said Trend Micro's Balanza.
When the latest variant
intercepts calls, it can take steps to prevent users from even knowing about
the call, the researchers said. Once the Trojan detects an incoming call from
the remote controller number defined in the configuration file, it puts the
phone on silent mode to prevent the owner from noticing, Balanza said.
It appears that the phone
screen must be turned off in a rest state for the malware to successfully
answer the call, and the current screen is set to display the home page instead
of information about the incoming call. The screen is set blank after the
Trojan answers the call. The dial pad is hidden, as well.
However, the ability to
intercept calls is limited only to older Android handsets running version 2.2
or earlier. Later versions are protected from this capability because the
modify_phone_state permission was disabled in Android 2.3, according to
The Trojan can gather GPS
location, text messages and call logs from the infected phone and transmit them
to a remote server using port 2018. The Trojan accesses 19 different services,
including the ability to access alarms, read and send SMS communications, and
lock the keypad.
According to a recent 2011 Mobile Threat report
from Lookout Mobile
Security, the number of infected Android applications jumped from 80 in January
to more than 400 six months later. Anywhere from 500,000 to 1 million users
were impacted by malware on their Android smartphones or tablets, Lookout said,
noting that users were 2.5 times more likely to be affected by malware than
they were six months ago. "Attackers are deploying a variety of
increasingly sophisticated techniques to take control of the phone, personal
data and money," the company said in the report.
"The Android platform's
popularity with developers and users makes it a prime target, both for thieves
looking to steal devices and for those wanting to exploit it through malware
and scams," said Alexandru Balan, senior product manager at BitDefender.
Security companies encourage
users to download and install a security application to protect their devices
from the increasing amount of Android malware. Sprint recently announced a
partnership with McAfee to provide customers with "easy access" to
McAfee Mobile Security to protect themselves.
Webroot also updated its
original application from April earlier this month with a feature that lets
users monitor all the active connections on the device. Users would be able to
tell when the device was stealthily accessing the network. It blocks and
removes malicious applications, protects sensitive data, and blocks Web threats
Bit Defender recently added
anti-theft and SD card scanning capabilities to its Mobile Security for Android
application, which scans for both malware and Web threats. The new anti-theft
function allows users to easily track where their device is and to remotely
wipe it when needed, while SD Card scanning prevents users from inadvertently
uploading malware from infected SD cards.