Malware researchers at Palo Alto Networks have spotted a new Android Trojan, dubbed SpyDealer that can exfiltrate data from more than 40 applications, including WeChat, Facebook, WhatsApp, Skype, Line, Viber, QQ, Tango, Telegram, Sina Weibo, Tencent Weibo, Android Native Browser, Firefox Browser, Oupeng Brower, QQ Mail, NetEase Mail, Taobao, and Baidu Net Disk.
SpyDealer steals messages from communication apps using the Android accessibility service feature and leverages the exploits from a commercial rooting app called Baidu Easy Root to gain rooting privileges and to maintain persistence on the target.
The mobile malware only works Android versions from 2.2 up to 4.4 releases (roughly 25% of all Android devices), that are the versions supported by the rooting tool.
Once installed, the malware registers “two broadcast receivers to listen for events related to the device booting up and network connection status.”
Even when the malware is not able to root the device, it is able to steal a significant amount of sensitive data.
Attackers can remotely control the infected Android device via UDP, TCP and SMS channels.
The SpyDealer Trojan can gather a huge quantity of information from the target devices, including the phone number, IMEI, IMSI, SMS, MMS, contacts, accounts, phone call history, location, and connected Wi-Fi information. It can also answer incoming phone calls from a specific number, can record phone calls and the surrounding audio and video, can take photos with the device’s cameras, monitor location, and take screenshots.
The good news is that SpyDealer isn’t distributed through the official Google Play store, the malware experts observed Chinese users being infected compromised wireless networks.
PaloAlto Networks believe the malware is under active development, the researchers already detected 1,046 samples of SpyDealer belonging to at least three differed variants.
The first variant spotted is dated back October, 2015, the last one was created in May, 2017, this means that the SpyDealer Trojan has been active for more than 18 months.