Malware
Mobile Campaign Start Targeted Attacks Using CallerSpy
We found a new spyware family hosted on a phishing website, and may initially be used for a targeted attack campaign. We first came across the threat in May via http://gooogle.press/ advertising a chat app called “Chatrious.”
We found a new spyware family disguised as chat apps on a phishing website. We believe that the apps, which exhibit many cyberespionage behaviors, are initially used for a targeted attack campaign. We first came across the threat in May on the site http://gooogle[.]press/, which was advertising a chat app called “Chatrious.” Users can download the malicious Android application package (APK) file by clicking the download button indicated on the site.
The website became inactive for months after that encounter in May. We only noticed that it came back in October, this time with a different app called “Apex App.” We have identified this as a spyware family that can steal user’s personal information. Trend Micro detects both of the threats as AndroidOS_CallerSpy.HRX.
Figure 1. Screenshots of Chatrious (left) and Apex App (right)
Behavior analysis
CallerSpy claims it’s a chat app, but we found that it had no chat features at all and it was riddled with espionage behaviors. When launched, CallerSpy initiates a connection with the C&C server via Socket.IO to monitor upcoming commands. It then utilizes Evernote Android-Job to start scheduling jobs to steal information.
Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)
CallerSpy sets several scheduling jobs to collect call logs, SMSs, contacts, and files on the device. It also receives commands from the C&C server to take screenshots, which it later sends to the server.
Figure 3. Scheduled jobs
| Source | Command |
| alive_latest_files_watcher | Starts latest_files_watcher job and keeps it alive |
| enviorment_schedulers | Configures environment record module |
| keep_enviorment_scehdular_alive | Starts the enviorment_scehdular job and keeps it alive |
| keep_listener_alive | Starts listener job and keeps it alive |
| latest_files_watcher | Collects latest call logs, SMSs, contacts, and files |
| listeners | Updates configuration and takes a screenshot |
| record_enviorment | Records environment |
| remote_sync | Uploads privacy to the remote C&C server |
| sync_data_locally | Collects all call log, SMS, contacts, and files information on the device |
Table 1. Some of CallerSpy’s scheduling job tags
All of the stolen information are collected and stored in a local database before they’re uploaded to the C&C server periodically. This spyware targets the following file types: jpg, jpeg, png, docx, xls, xlsx, ppt, pptx, pdf, doc, txt, csv, aac, amr, m4a, opus, wav, and amr.
Figure 4. Privacy database
The screenshot gets captured when a command is received from the C&C server. The screenshot image then gets encoded using Base64 and sent back to the server via a preconfigured Socket.IO connection.
Figure 5. Monitor commands from C&C server (left), take and send the screenshot (right)
Infrastructure analysis
The domain gooogle[.]press masquerades as Google to trick users into downloading the app. The domain even goes into putting a supposed copyright detail at the bottom of the website.
Figure 6. Fake copyright info
The attackers behind this campaign made an effort to hide their tracks. Whois Lookup reveals that this domain was registered on February 11, 2019 at Namecheap. However, we found that all the registrant data was untraceable. It is important to note, however, that domain privacy protection is common among domains that Namecheap offers.
Figure 7. gooogle[.]press registration info
We did catch four C&C IP addresses, all hosted on a legitimate service. We can only confirm that the C&C service uses Node.js on port 3000.
Initial phase of a bigger campaign
Based on the aforementioned clues and past findings, we believe that this is a new campaign. There have been no detections for it on VirusTotal at the time of writing.
Figure 8. VirusTotal scan result
The campaign’s target is still unclear because we have not seen actual victims. We also conclude that this is the initial phase of an attack based on the following reasons:
- CallerSpy, as it is now, could prove uneven for a targeted attack. It has no user interface (UI), no real useful feature, and only implements espionage features. It uses the default app icon and even is labeled as “rat.” We also found some debug code left in CallerSpy.
Figure 9. CallerSpy icon and label (left), debug code (right)
- Sample certification information indicates that it is only used for testing.
Figure 10. Certification details
- The download section of the webpage has three buttons indicating Apple, Android and Windows platforms, but it only supports Android for now.
Figure 11. The app advertises to be available on different platforms
- So far, our monitoring has not found any volume infection, which could mean that the threat actor may be waiting for a chance to spread the malware.
The malicious apps can be detected by Trend Micro solutions, such as the Trend Micro™ Mobile Security for Android™. End users can also benefit from its multilayered security capabilities that secure the device owner’s data and privacy and safeguard them from ransomware, fraudulent websites, and identity theft.
For organizations, the Trend Micro Mobile Security for Enterprise suite provides device, compliance, and application management, data protection, and configuration provisioning. It also protects devices from attacks that exploit vulnerabilities, prevents unauthorized access to apps, and detects and blocks malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
Indicators of Compromise (IoCs)
| SHA-256 | Package name | Label |
| 0c4b08bec1251b1ebc715a7ef1a712cdcb4d37ce0093d88f7fa73b0e05bf7b0e | com.sas.gplayservices.accesibility | GSERVICES |
| 38acf26161a2c6429ee40d9b70d8419a9bd00eaa8740d221f943cea3229372dd | com.sas.gservices.accesibility | GSERVICES |
| 3bf85d0aff5ddc0c57e43b879631ee692d98d01f5c964336471f1cdfe0d291f8 | com.example.rat | rat |
| 7cb0eb93de496e2141b6e0541465ca71a84063867381085692885c75aa59cb1b | com.pdf.searcher.dd | Pdf Searcher |
| 8ad18bd8f5d2f1fd9e00211170e8a540ddf7f51618588fab31b4ddd2b34b75e1 | com.pdfd.researcher.resaq_ver1 | Caller |
| c8e1a702a27309c22728792c64aad4abc14ec2bfad1b30a4f27b8ebc6bcc68ff | com.sas.gservices.accesibility | GSERVICES |
C&C servers
- 3.95.71.123:3000
- 18.206.105.66:3000
- 40.114.109.69:3000
- 52.21.5.241:2000
Phishing domain
- http://gooogle[.]press/
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
| Initial Access | Masquerade as Legitimate Application | T1444 | Used to masquerade as a legitimate chat app |
| Persistence | Abuse Device Administrator Access to Prevent Removal | T1401 | Used to request device administrator privilege |
| Persistence | App Auto-Start at Device Boot | T1402 | Used to listen for the BOOT_COMPLETED broadcast |
| Defense Evasion | Suppress Application Icon | T1508 | Used to suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed |
| Discovery | File and Directory Discovery | T1420 | Used to enumerate external storage file system |
| Discovery | Location Tracking | T1430 | Used to track device’s location |
| Collection | Access Call Log | T1433 | Used to gather call log data |
| Collection | Access Contact List | T1432 | Used to gather contact list data |
| Collection | Capture Audio | T1429 | Used to record audio information |
| Collection | Capture SMS Messages | T1412 | Used to collect SMS messages |
| Collection | Data from Local System | T1533 | Used to collect files from the device, including documents, photos, and media files |
| Collection | Location Tracking | T1430 | Used to track device’s location |
| Collection | Screen Capture | T1513 | Used to take screenshot on the device |
| Exfiltration | Standard Application Layer Protocol | T1437 | Used Standard HTTP Protocol |
| Command and Control | Uncommonly Used Port | T1509 | Used uncommon ports 2000, 3000 |