web analytics

Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

We found a new spyware family disguised as chat apps on a phishing website. We believe that the apps, which exhibit many cyberespionage behaviors, are initially used for a targeted attack campaign. We first came across the threat in May on the site http://gooogle[.]press/, which was advertising a chat app called “Chatrious.” Users can download the malicious Android application package (APK) file by clicking the download button indicated on the site.

The website became inactive for months after that encounter in May. We only noticed that it came back in October, this time with a different app called “Apex App.” We have identified this as a spyware family that can steal user’s personal information. Trend Micro detects both of the threats as AndroidOS_CallerSpy.HRX.

Figure 1. Screenshots of Chatrious (left) and Apex App (right)

Figure 1. Screenshots of Chatrious (left) and Apex App (right)

Behavior analysis

CallerSpy claims it’s a chat app, but we found that it had no chat features at all and it was riddled with espionage behaviors. When launched, CallerSpy initiates a connection with the C&C server via Socket.IO to monitor upcoming commands. It then utilizes Evernote Android-Job to start scheduling jobs to steal information.

Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)

Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)

CallerSpy sets several scheduling jobs to collect call logs, SMSs, contacts, and files on the device. It also receives commands from the C&C server to take screenshots, which it later sends to the server.

Figure 3. Scheduled jobs

Figure 3. Scheduled jobs

SourceCommand
alive_latest_files_watcherStarts latest_files_watcher job and keeps it alive
enviorment_schedulersConfigures environment record module
keep_enviorment_scehdular_aliveStarts the enviorment_scehdular job and keeps it alive
keep_listener_aliveStarts listener job and keeps it alive
latest_files_watcherCollects latest call logs, SMSs, contacts, and files
listenersUpdates configuration and takes a screenshot
record_enviormentRecords environment
remote_syncUploads privacy to the remote C&C server
sync_data_locallyCollects all call log, SMS, contacts, and files information on the device

Table 1. Some of CallerSpy’s scheduling job tags

All of the stolen information are collected and stored in a local database before they’re uploaded to the C&C server periodically. This spyware targets the following file types: jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.

Figure 4. Privacy database

Figure 4. Privacy database

The screenshot gets captured when a command is received from the C&C server. The screenshot image then gets encoded using Base64 and sent back to the server via a preconfigured Socket.IO connection.

Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)

Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)

Infrastructure analysis

The domain gooogle[.]press masquerades as Google to trick users into downloading the app. The domain even goes into putting a supposed copyright detail at the bottom of the website.

Figure 6. Fake copyright info

Figure 6. Fake copyright info

The attackers behind this campaign made an effort to hide their tracks. Whois Lookup reveals that this domain was registered on February 11, 2019 at Namecheap. However, we found that all the registrant data was untraceable. It is important to note, however, that domain privacy protection is common among domains that Namecheap offers.

Figure 7. gooogle[.]press registration info

Figure 7. gooogle[.]press registration info

We did catch four C&C IP addresses, all hosted on a legitimate service. We can only confirm that the C&C service uses Node.js on port 3000.

Initial phase of a bigger campaign

Based on the aforementioned clues and past findings, we believe that this is a new campaign. There have been no detections for it on VirusTotal at the time of writing.

Figure 9. VirusTotal scan result

Figure 8. VirusTotal scan result

The campaign’s target is still unclear because we have not seen actual victims. We also conclude that this is the initial phase of an attack based on the following reasons:

  • CallerSpy, as it is now, could prove uneven for a targeted attack. It has no user interface (UI), no real useful feature, and only implements espionage features. It uses the default app icon and even is labeled as “rat.” We also found some debug code left in CallerSpy.

Figure 10. CallerSpy icon and label (left), debug code (right)

Figure 9. CallerSpy icon and label (left), debug code (right)

  • Sample certification information indicates that it is only used for testing.

Figure 11. Certification details

Figure 10. Certification details

  • The download section of the webpage has three buttons indicating Apple, Android and Windows platforms, but it only supports Android for now.

Figure 12. The app advertises to be available on different platforms

Figure 11. The app advertises to be available on different platforms

  • So far, our monitoring has not found any volume infection, which could mean that the threat actor may be waiting for a chance to spread the malware.

The malicious apps can be detected by Trend Micro solutions, such as the Trend Micro™ Mobile Security for Android™. End users can also benefit from its multilayered security capabilities that secure the device owner’s data and privacy and safeguard them from ransomware, fraudulent websites, and identity theft.

For organizations, the Trend Micro Mobile Security for Enterprise suite provides device, compliance, and application management, data protection, and configuration provisioning. It also protects devices from attacks that exploit vulnerabilities, prevents unauthorized access to apps, and detects and blocks malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

Indicators of Compromise (IoCs)

Sample hashes

SHA-256Package nameLabel
0c4b08bec1251b1ebc715a7ef1a712cdcb4d37ce0093d88f7fa73b0e05bf7b0ecom.sas.gplayservices.accesibilityGSERVICES
38acf26161a2c6429ee40d9b70d8419a9bd00eaa8740d221f943cea3229372ddcom.sas.gservices.accesibilityGSERVICES
3bf85d0aff5ddc0c57e43b879631ee692d98d01f5c964336471f1cdfe0d291f8com.example.ratrat
7cb0eb93de496e2141b6e0541465ca71a84063867381085692885c75aa59cb1bcom.pdf.searcher.ddPdf Searcher
8ad18bd8f5d2f1fd9e00211170e8a540ddf7f51618588fab31b4ddd2b34b75e1com.pdfd.researcher.resaq_ver1Caller
c8e1a702a27309c22728792c64aad4abc14ec2bfad1b30a4f27b8ebc6bcc68ffcom.sas.gservices.accesibilityGSERVICES

C&C servers
3.95.71.123:3000
18.206.105.66:3000
40.114.109.69:3000
52.21.5.241:2000

Phishing domain
http://gooogle[.]press/

MITRE ATT&CK Techniques

TacticTechniqueIDDescription
Initial AccessMasquerade as Legitimate ApplicationT1444Used to masquerade as a legitimate chat app
PersistenceAbuse Device Administrator Access to Prevent RemovalT1401Used to request device administrator privilege
PersistenceApp Auto-Start at Device BootT1402Used to listen for the BOOT_COMPLETED broadcast
Defense EvasionSuppress Application IconT1508Used to suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed
DiscoveryFile and Directory DiscoveryT1420Used to enumerate external storage file system
DiscoveryLocation TrackingT1430Used to track device’s location
CollectionAccess Call LogT1433Used to gather call log data
CollectionAccess Contact ListT1432Used to gather contact list data
CollectionCapture AudioT1429Used to record audio information
CollectionCapture SMS MessagesT1412Used to collect SMS messages
CollectionData from Local SystemT1533Used to collect files from the device, including documents, photos, and  media files
CollectionLocation TrackingT1430Used to track device’s location
CollectionScreen CaptureT1513Used to take screenshot on the device
ExfiltrationStandard Application Layer ProtocolT1437Used Standard HTTP Protocol
Command and ControlUncommonly Used PortT1509Used uncommon ports 2000, 3000

The post Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack appeared first on .