Mobile Virus

Android/NickiSpy.B!tr.spy

Analysis

Android/NickiSpy.B!tr.spy is an advanced variant of Android/NickiSpy.A!tr.spy.
The most significant differences with variant A are that

  • the malware is remotely configurable by SMS. For instance, to activate recording, send an SMS
  • in addition to variant A functionalities, the malware is able to record surrounding noises, or be notified when the phone boots
  • send reports by email


Technical Details


The malware is named as "Android System Log" (not Android System Message, like in Variant A).

Figure 1. The malware is named "Android System Log"
Surrounding noises are recording in /sdcard/LyyService/environment/THEDATE.amr.
When it starts, the malware contacts a remote web server: hxxp://www.[REMOVED].com/wapandroid/index.php?IMEI_Yan=VICTIM'sIMEI
The malware detects it is running on an emulator and quits.
It uses a preferences file named DBservicesetting,xml (not XM_All_Setting.xml). This file contains the following settings:
  • SafeOne: litteraly a 'safe' phone number - from the spyware's perspective, i.e a phone number that does not need to be spied. This is also the phone number from which the spy can send SMS commands.
  • SendMail: the account of the email to send information to. This is not the full email. To get the full email, the malware appends @163.com.
  • SendCode: the email password for the account above.
  • Sim:
  • Password: the SMS password. This is a mandatory prefix the spy must prefix his SMS with for the SMS command to be valid. The idea is to differentiate SMS commands from other SMS
  • IsBoot: boolean indicated whether notification must be sent when the phone is booting or not
  • IsGps: boolean indicated whether to spy GPS location or not
  • IsCallR: boolean indicating whether to record sounds or not
  • IsSteal: boolean indicating whether to spy SMS or not

The malware is able to process the following commands:
  • password#record: activate recording and send via email the contents of SMS messages on the phone when there are more than 20. This threshold is to make sure not to send out too many emails.
  • password#contact: send the phone's contacts via email
  • password#0boot: enable notifications when booting the phone. This sends an SMS to the "safeone" number when the phone boots
  • password#1boot: disable booting notifications
  • password#0log: enable phone call monitoring
  • password#1log: disable phone call monitoring
  • password#sendlog: send the call log via email
  • password#0sms: enable SMS monitoring
  • password#1sms: disable SMS monitoring
  • password#sendsms: send SMS via email
  • password#0gps: enable GPS monitoring
  • password#1gps: disable GPS monitoring
  • password#state: sends by SMS the status of the phone, i.e the monitoring functions which are open or not, the available memory on the phone.
  • password#*newnum: change the safeone phone number
  • password#0all: enable all monitorings
  • password#1all: disable all monitorings

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.