Trend Micro report this
CallerSpy claims it’s a chat app, but we found that it had no chat features at all and it was riddled with espionage behaviors. When launched, CallerSpy initiates a connection with the C&C server via Socket.IO to monitor upcoming commands. It then utilizes Evernote Android-Job to start scheduling jobs to steal information.
Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)
CallerSpy sets several scheduling jobs to collect call logs, SMSs, contacts, and files on the device. It also receives commands from the C&C server to take screenshots, which it later sends to the server.
Figure 3. Scheduled jobs
|alive_latest_files_watcher||Starts latest_files_watcher job and keeps it alive|
|enviorment_schedulers||Configures environment record module|
|keep_enviorment_scehdular_alive||Starts the enviorment_scehdular job and keeps it alive|
|keep_listener_alive||Starts listener job and keeps it alive|
|latest_files_watcher||Collects latest call logs, SMSs, contacts, and files|
|listeners||Updates configuration and takes a screenshot|
|remote_sync||Uploads privacy to the remote C&C server|
|sync_data_locally||Collects all call log, SMS, contacts, and files information on the device|
Table 1. Some of CallerSpy’s scheduling job tags
All of the stolen information are collected and stored in a local database before they’re uploaded to the C&C server periodically. This spyware targets the following file types: jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.
Figure 4. Privacy database
The screenshot gets captured when a command is received from the C&C server. The screenshot image then gets encoded using Base64 and sent back to the server via a preconfigured Socket.IO connection.
Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)
For full info click here