'SpyDealer' Android malware steals data from Facebook, WhatsApp and Skype apps

An advanced strain of Android malware with the ability to snoop on text messages and record phone calls is now being used by hackers to steal personal user data from more than 40 mainstream applications including Facebook, WhatsApp and Skype and WeChat.

Researchers from Unit42, the cybersecurity division of Palo Alto Networks, branded the malware 'SpyDealer' as it has a slew of sophisticated surveillance features such as "recording phone calls and surrounding audio, recording video, taking photos and capturing screenshots."

The malware is only 100% effective against devices running Android versions between 2.2 and 4.4, the experts wrote in a blog post, published on 7 July 2017.

This represents roughly 25% of all Android devices in the wild, leaving a massive 500 million phones and tablets potentially at risk in the worst-case scenario.

The malware relies on a commerical "rooting" tool which gives users greater control over devices – a process also known as jailbreaking. SpyDealer also abuses Android Accessibility (a feature designed to help disabled users' communicate) to steal data, Unit 41 said.

"SpyDealer makes use of the commercial rooting app 'Baidu Easy Root' to gain root privilege and maintain persistence on the compromised device," Unit 42 stated after analysing 1,046 separate samples. "SpyDealer employs a wide array of mechanisms to steal private information.

"At the same time, it accesses and exfiltrates sensitive data from more than 40 different popular apps with root privilege. With Accessibility Service, this malware is also capable of extracting plain-text messages from target apps in real time."

The team said SpyDealer remains under "active development".

The top 10 applications it targets are Facebook, WeChat, WhatsApp, Skype, Line, Viber, QQ, Telegram, Ali WangXin, and Kik. The services are exploited with the use of root privilages and malicious code, the popular services are not individually compromised in any way.

The data stolen from each service varies, but it includes databases, personal messages, chats, personal preferences and usernames.

There are currently three versions of SpyDealer spreading around third-party app stores and the majority are posing as Google Update software, the experts warned.

New strains of SpyDealer were created this year but evidence suggests older versions stretch back to October 2015.

There is nothing to suggest it is active on the official Google Play Store, the team said.

It remains unknown how many devices have been infected globally but analysis suggested that some Chinese users had been infected through compromised wireless networks.

Like most well-designed malware samples, SpyDealer automatically connects to the culprit's command and control (C&C) server, a place where they can send malicious prompts to the targeted device and steal files, documents, pictures, recordings and much more.

In some ways, it is the perfect spy tool. Once the malware notices an active call it can record the conversation (and background audio) before sending it to the hacker. It can also record video for up to 10 seconds and – if a Wi-Fi connection is available – upload it to the criminal.

Users are advised to only download applications from the official Google application store, always check reviews before using software and ensuring all devices have the latest security updates installed. Third-party stores may give you free apps, but they could leave your data exposed.