Android Trojan Stealthily Answers Incoming Calls, Executes Remote SMS Commands

Android malware has been popping up like clockwork this year, with increasingly sophisticated features and capabilities.

The latest Android Trojan variant masquerades as a Google+ application and can record phone calls, answer incoming calls and execute remote commands sent to the handset via SMS (Short Message Service) communications, Mark Balanza, a threats analyst at Trend Micro said Aug. 12. Known as ADROIDOS_NICKISPY.C, the Trojan displays a Google+ icon on the handset and is installed under the name Google++.

Symantec detected a different version of NickiSpy earlier this month that could record calls, but noted that the malicious third-party would need to have physical access to the handset to retrieve the recordings, according to Irfan Asrar, an analyst with Symantec Security Response.

"What makes this particular variant different is that it has the capability to automatically answer incoming calls," said Trend Micro's Balanza.

When the latest variant intercepts calls, it can take steps to prevent users from even knowing about the call, the researchers said. Once the Trojan detects an incoming call from the remote controller number defined in the configuration file, it puts the phone on silent mode to prevent the owner from noticing, Balanza said.

It appears that the phone screen must be turned off in a rest state for the malware to successfully answer the call, and the current screen is set to display the home page instead of information about the incoming call. The screen is set blank after the Trojan answers the call. The dial pad is hidden, as well.

However, the ability to intercept calls is limited only to older Android handsets running version 2.2 or earlier. Later versions are protected from this capability because the modify_phone_state permission was disabled in Android 2.3, according to Balanza.

The Trojan can gather GPS location, text messages and call logs from the infected phone and transmit them to a remote server using port 2018. The Trojan accesses 19 different services, including the ability to access alarms, read and send SMS communications, and lock the keypad.

According to a recent 2011 Mobile Threat report from Lookout Mobile Security, the number of infected Android applications jumped from 80 in January to more than 400 six months later. Anywhere from 500,000 to 1 million users were impacted by malware on their Android smartphones or tablets, Lookout said, noting that users were 2.5 times more likely to be affected by malware than they were six months ago. "Attackers are deploying a variety of increasingly sophisticated techniques to take control of the phone, personal data and money," the company said in the report.

"The Android platform’s popularity with developers and users makes it a prime target, both for thieves looking to steal devices and for those wanting to exploit it through malware and scams," said Alexandru Balan, senior product manager at BitDefender.

Security companies encourage users to download and install a security application to protect their devices from the increasing amount of Android malware. Sprint recently announced a partnership with McAfee to provide customers with "easy access" to McAfee Mobile Security to protect themselves.

Webroot also updated its original application from April earlier this month with a feature that lets users monitor all the active connections on the device. Users would be able to tell when the device was stealthily accessing the network. It blocks and removes malicious applications, protects sensitive data, and blocks Web threats and spam.

Bit Defender recently added anti-theft and SD card scanning capabilities to its Mobile Security for Android application, which scans for both malware and Web threats. The new anti-theft function allows users to easily track where their device is and to remotely wipe it when needed, while SD Card scanning prevents users from inadvertently uploading malware from infected SD cards.