Tuesday, December 3, 2019

Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Trend Micro report this

Behavior analysis


CallerSpy claims it’s a chat app, but we found that it had no chat features at all and it was riddled with espionage behaviors. When launched, CallerSpy initiates a connection with the C&C server via Socket.IO to monitor upcoming commands. It then utilizes Evernote Android-Job to start scheduling jobs to steal information.

Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)

Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)

CallerSpy sets several scheduling jobs to collect call logs, SMSs, contacts, and files on the device. It also receives commands from the C&C server to take screenshots, which it later sends to the server.

Figure 3. Scheduled jobs

Figure 3. Scheduled jobs

Source Command
alive_latest_files_watcher Starts latest_files_watcher job and keeps it alive
enviorment_schedulers Configures environment record module
keep_enviorment_scehdular_alive Starts the enviorment_scehdular job and keeps it alive
keep_listener_alive Starts listener job and keeps it alive
latest_files_watcher Collects latest call logs, SMSs, contacts, and files
listeners Updates configuration and takes a screenshot
record_enviorment Records environment
remote_sync Uploads privacy to the remote C&C server
sync_data_locally Collects all call log, SMS, contacts, and files information on the device

Table 1. Some of CallerSpy’s scheduling job tags

All of the stolen information are collected and stored in a local database before they’re uploaded to the C&C server periodically. This spyware targets the following file types: jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.

Figure 4. Privacy database

Figure 4. Privacy database

The screenshot gets captured when a command is received from the C&C server. The screenshot image then gets encoded using Base64 and sent back to the server via a preconfigured Socket.IO connection.

Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)

Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)
 
For full info click here