New Android trojan records phone calls, shares with remote server

We have been recently blogging about many Android malware as the threat landscape has been witnessing an increasing trend in targeting the mobile platforms and today we have received an Android package to our collection and observed that this piece of malware walks an additional mile by having a neat configuration and has a capability to record the telephonic conversation the infected victim makes. In one of our earlier blogs, we have demonstrated how a Trojan logs all the details of incoming/outgoing calls and call duration in a text file. This Trojan is more advanced as it records the conversation itself in “amr” format. Also it has got many other malicious activities that we have seen in many of the earlier malware incidents targeted for Android platform.

Hence, in this blog, we will demonstrate this particular conversation recording payload of the malware.

Fig.1: Permissions needed by the “app”.

It is always recommended to have a logical decision making before allowing an app to have certain permissions.

Once the malware is installed in the victim device, it drops a “configuration” file that contains key information about the remote server and the parameters. Fig.2 shows the contents of this file.

Fig.2: The config information

To see the payload in action, the Trojan is installed in a controlled environment with two mobile emulators running along with simulated internet services.

Fig.3: Making a phone call from the victim device to trigger the payload.

As the converstation goes on, the Trojan stores the recorded call in a directory shangzhou/callrecord in the SDCard. Fig.4 is the snapshot of the directory structure in SDCard.

Fig.4: the recorded file in amr file format.

As it is already widely acknowledged that this year is the year of mobile malware, we advice the smartphone users to be more logical and exercise the basic security principles while surfing and installing any applications.