Trend Micro report this
CallerSpy claims it’s a chat app, but we found that it had no chat features at all and it was riddled with espionage behaviors. When launched, CallerSpy initiates a connection with the C&C server via Socket.IO
to monitor upcoming commands. It then utilizes Evernote Android-Job
to start scheduling jobs to steal information.
Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)
CallerSpy sets several scheduling jobs to collect call logs, SMSs, contacts, and files on the device. It also receives commands from the C&C server to take screenshots, which it later sends to the server.
Figure 3. Scheduled jobs
||Starts latest_files_watcher job and keeps it alive
||Configures environment record module
||Starts the enviorment_scehdular job and keeps it alive
||Starts listener job and keeps it alive
||Updates configuration and takes a screenshot
||Uploads privacy to the remote C&C server
||Collects all call log, SMS, contacts, and files information on the device
Table 1. Some of CallerSpy’s scheduling job tags
All of the stolen information are collected and stored in a local database before they’re uploaded to the C&C server periodically. This spyware targets the following file types: jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.
Figure 4. Privacy database
The screenshot gets captured when a command is received from the C&C server. The screenshot image then gets encoded using Base64 and sent back to the server via a preconfigured Socket.IO connection.
Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)