SpyDealer takes control of Android phones and steals data from encrypted messaging apps
Malware is distributed via compromised wireless networks, not the Play Store
An Android malware that exfiltrates data from more than 40 communication apps, including WhatsApp, Facebook and Skype, has been discovered by Unit 42, Palo Alto Networks' threat intelligence department.
'SpyDealer' steals messages and other personal data, like contact details, by exploiting the Android accessibility service. It is also able to record calls and the surrounding audio and video, as well as monitoring the device's location and taking photos using its cameras. The malware roots the device and maintains persistence using the Baidu Easy Root app.
Many of the apps that SpyDealer steals data from use end-to-end encryption. To get around this, the malware authors implemented an extra accessibility service to steal plain messages by directly extracting texts from the screen, using the root privilege.
At present, the malware is not being distributed through the Google Play Store, and its existence has been reported to Google. Unit 42 is unsure exactly how it is infecting users, but has seen evidence suggesting that SpyDealer is running through compromised wireless networks in China. All of the 88 command & control servers that Unit 42 has observed SpyDealer using are in China, bar three in the USA.
Mitigating the threat somewhat, the malware is only completely effective against devices running older versions of Android (2.2 to 4.4), as those are the only ones supported by Baidu Easy Root. SpyDealer can still affect newer Android devices and steal data, but cannot take actions that require higher privileges.
Unit 42 has found more than 1,000 samples of SpyDealer in the wild to date (most using the app name 'GoogleService' or 'GoogleUpdate'). The first sample was seen in October 2015 and the latest in May 2017. The firm has tracked three separate versions - suggesting that the malware is still under development. See Unit 42's full analysis of the software here.