IT and Business Insights for SMB Solution Providers

Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Trend Micro report this

Behavior analysis

CallerSpy claims it’s a chat app, but we found that it had no chat features at all and it was riddled with espionage behaviors. When launched, CallerSpy initiates a connection with the C&C server via Socket.IO to monitor upcoming commands. It then utilizes Evernote Android-Job to start scheduling jobs to steal information.
Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)
Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)
CallerSpy sets several scheduling jobs to collect call logs, SMSs, contacts, and files on the device. It also receives commands from the C&C server to take screenshots, which it later sends to the server.
Figure 3. Scheduled jobs
Figure 3. Scheduled jobs
Source Command
alive_latest_files_watcher Starts latest_files_watcher job and keeps it alive
enviorment_schedulers Configures environment record module
keep_enviorment_scehdular_alive Starts the enviorment_scehdular job and keeps it alive
keep_listener_alive Starts listener job and keeps it alive
latest_files_watcher listeners Updates configuration and takes a screenshot
record_enviorment Records environment
remote_sync Uploads privacy to the remote C&C server
sync_data_locally Collects all call log, SMS, contacts, and files information on the device
Table 1. Some of CallerSpy’s scheduling job tags
All of the stolen information are collected and stored in a local database before they’re uploaded to the C&C server periodically. This spyware targets the following file types: jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.
Figure 4. Privacy database
Figure 4. Privacy database
The screenshot gets captured when a command is received from the C&C server. The screenshot image then gets encoded using Base64 and sent back to the server via a preconfigured Socket.IO connection.
Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)
Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)
 
For full info click here

About the Author

ChannelPro SMB Magazine
SUBSCRIBE FREE!

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.