New Android Malware In Google+ App Disguise

Trend Micro Labs has discovered a new flavor of malware on Android Marketplace, identified as ANDROIDOS_NICKISPY.C. The malware installs and runs in the background as a fake Google+ app and uses multiple services on the device. The malware is capable of answering and recording phone calls. The origin of this malware is still unknown.

In order to hide from the affected users the malware use the Google+ icon for all the services it uses and the App i.e the malware itself is installed under the name, Google++. Trend Micro’s malware analysts discovered that ANDROIDOS_NICKISPY.C uses the following services:

  • MainService
  • AlarmService
  • SocketService
  • GpsService
  • CallRecordService
  • CallLogService
  • UploadService
  • SmsService
  • ContactService
  • SmsControllerService
  • CommandExecutorService
  • RegisterService
  • CallsListenerService
  • KeyguardLockService
  • ScreenService
  • ManualLocalService
  • SyncContactService
  • LocationService
  • EnvRecordService

ANDROIDOS_NICKISPY.C is capable of receiving and answering calls, collecting text messages, call logs, and GPS location from infected devices. It can also upload all the collected information to a remote server through port 2018. The malware is also capable of receiving commands via text messages. For that, the sender has to use predefined “controller” number from the malware’s configuration file and execute the command using a password. Only devices running Android 2.2 or lower are vulnerable to ANDROIDOS_NICKISPY.C since the access permission to the MODIFY_PHONE_STATE service has been disabled in the Android 2.3 update.

The malware is given a low-risk rating from Trend Micro and the disguising app can be easily uninstalled from an Android device by selecting Settings > Application > Manage applications, choosing Google++ and then clicking Uninstall.