Android Malware Uses Google Plus Disguise


Android Malware Uses Google Plus Disguise
Android Malware Uses Google Plus Disguise

Security researchers at Trend Micro have discovered some familiar Android malware with the disguise of Google Plus. The malware- named  ANDROIDOS_NICKISPY.C- uses the below services.

  • MainService
  • AlarmService
  • SocketService
  • GpsService
  • CallRecordService
  • CallLogService
  • UploadService
  • SmsService
  • ContactService
  • SmsControllerService
  • CommandExecutorService
  • RegisterService
  • CallsListenerService
  • KeyguardLockService
  • ScreenService
  • ManualLocalService
  • SyncContactService
  • LocationService
  • EnvRecordService

The malware is disguised as Google Plus and in most user interfaces appears with the name "Google+", but the true name of the application in "Google++". This is to avoid any conflicts with the real Google Plus application and to make it less noticeable. The malware can upload call logs, text messages and GPS location data to a sepcified URL. It can also receive commands via text messages, however, the sender's number must be specified in the applications code- this number is called the "controller".

ANDROIDOS_NICKISPY.C can record incoming calls like other variations of the malware. What makes this malware more dangerous is that it can automatically answer incoming calls. The malware is programmed only to automatically receive calls from the "controller" and only when the phone's screen is off. When the call is answered, the phone is automatically put into silent mode and the dialpad is hidden- only the homescreen can be seen. This function of the malware can only exploit versions 2.2 and below of the Android OS as the permission was removed in 2.3.

In the past week there have been numerous new examples Android malware found. A recent study found that more than one in five applications on the Android Market contain potential malware. Is it time Google to monitor the apps which go into the Android Market?