Trend Micro report this
Behavior analysis
CallerSpy claims it’s a chat app, but we found that it had no chat
features at all and it was riddled with espionage behaviors. When
launched, CallerSpy initiates a connection with the C&C server via Socket.IO to monitor upcoming commands. It then utilizes Evernote Android-Job to start scheduling jobs to steal information.
features at all and it was riddled with espionage behaviors. When
launched, CallerSpy initiates a connection with the C&C server via Socket.IO to monitor upcoming commands. It then utilizes Evernote Android-Job to start scheduling jobs to steal information.
Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)
CallerSpy sets several
scheduling jobs to collect call logs, SMSs, contacts, and files on the
device. It also receives commands from the C&C server to take
screenshots, which it later sends to the server.
scheduling jobs to collect call logs, SMSs, contacts, and files on the
device. It also receives commands from the C&C server to take
screenshots, which it later sends to the server.
Figure 3. Scheduled jobs
| Source | Command |
| alive_latest_files_watcher | Starts latest_files_watcher job and keeps it alive |
| enviorment_schedulers | Configures environment record module |
| keep_enviorment_scehdular_alive | Starts the enviorment_scehdular job and keeps it alive |
| keep_listener_alive | Starts listener job and keeps it alive |
| latest_files_watcher | Collects latest call logs, SMSs, contacts, and files |
| listeners | Updates configuration and takes a screenshot |
| record_enviorment | Records environment |
| remote_sync | Uploads privacy to the remote C&C server |
| sync_data_locally | Collects all call log, SMS, contacts, and files information on the device |
Table 1. Some of CallerSpy’s scheduling job tags
All of the stolen information are collected and stored in a local
database before they’re uploaded to the C&C server periodically.
This spyware targets the following file types: jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.
database before they’re uploaded to the C&C server periodically.
This spyware targets the following file types: jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.
Figure 4. Privacy database
The screenshot gets captured
when a command is received from the C&C server. The screenshot image
then gets encoded using Base64 and sent back to the server via a
preconfigured Socket.IO connection.
when a command is received from the C&C server. The screenshot image
then gets encoded using Base64 and sent back to the server via a
preconfigured Socket.IO connection.
Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)
For full info click here