Mobile Virus

Android/NickiSpy.A!tr.spy

Analysis

Android/NickiSpy.A!tr.spy is a spyware for Android mobile phones, known to be circulating on unofficial application markets in China.
When installed on a device, it spies the device's activity and sends it to a remote server. More precisely, it records call conversations, spies incoming and outgoing SMS and tracks GPS locations.
The spyware does not display any application icon in the Application Launcher so that it stands good chances to stay unnoticed by the victim.
Its presence can only be detected in the Application Manager, where a so-called "Android System Message" application shows. The name is intentionally confusing and makes the victim believe this is a genuine Android system application - though it is not.


Technical Details


This first version of the NickiSpy malware family is the less advanced, and carries debug functionalities. In particular, if something goes wrong (InterruptedException), it sends an SMS to a hard-coded Chinese phone number 158592XXXX. The body of the SMS is precisely:
IMEI: THE IMEI OF THE INFECTED PHONE
where the IMEI of the infected phone is inserted.
The malware uses a preferences file, named XM_All_Setting, where it stores its settings such as:
  • Service: the address of the remote server to send information to. By default, if no address is specified, this goes to jin.[REMOVED].com
  • Port: the port of the remote server to send information to. By default, this goes to port 2108.
  • BeginTime: the time to start the malware
  • EndTime: time to automatically stop the malware
  • IsGps: boolean indicating whether to spy GPS location or not
  • IsSms: same for incoming and outgoing SMS
  • IsCall: same for incoming and outgoing calls. This does not include a record of the conversation, but only how long it lasted and which number it concerns
  • IsRec: records a call conversation
  • IsAll: spy everything that is possible
  • IsFirst: boolean indicating this is the first time the spyware is run or not.
Then, depending on the configuration, the malware starts the services for Gps, Sms, Call and Call recording.
Another service is also started: the SocketService. This service is in charge of sending the information to the remote server. It does not use HTTP, but connects to a remote socket, by default on port 2108, and sends data using its own formatting.
When call recording is enabled, the record file is stored on the SD card in
/sdcard/shangzhou/callrecord/THEDATE.amr
where the filename is built based on the current date.
When SMS spying is enabled, the malware sends the phone number, body, type (incoming, outgoing) and date for all SMS in the inbox or outbox.
When Call spying is enabled, the malware sends the call length, type (incoming, outgoing), date and user's number.
When GPS spying is enabled, the malware sends the latitude and longitude. The altitude is not reported. If the phone has an embedded GPS but the current location is currently unavailable, the malware reports the last known location. If the phone does not have an embedded GPS, the malware reports network information such as the current GSM Cell Id and the victim's current LAC (Location Area Code).

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.