ANDROIDOS_NICKISPY.C
Information Stealer
Android OS

Threat Type: Spyware
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Android spyware records phone calls and answer calls automatically.
To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.

This Android spyware automatically executes upon boot-up and runs certain services that monitor SMS, calls, and location.
When executed, it does several routines such as gathering the GPS location, recording calls made in the infected phone, and stealing messages in the inbox and outbox.
It sends the information it gathers to a remote site using port 2018.
This spyware may be unknowingly downloaded by a user while visiting malicious websites. It may be manually installed by a user.
It bears the file icons of certain applications to avoid easy detection and consequent removal.
TECHNICAL DETAILS
Arrival Details
This spyware may be unknowingly downloaded by a user while visiting malicious websites.
It may be manually installed by a user.
Installation
This spyware bears the file icons of the following applications:
- Google+
NOTES:
This spyware automatically executes upon boot up and runs the following services:
- AlarmService
- CallLogService
- CallRecordService
- CallsListenerService
- CommandExecutorService
- ContactService
- EnvRecordService
- GpsService
- KeyguardLockService
- LocationService
- MainService
- ManualLocalService
- RegisterService
- ScreenService
- SmsControllerService
- SmsService
- SocketService
- SyncContactService
- UploadService
It performs the following routines:
- Answer incoming calls automatically
- Gathers the GPS location
- Kill processes
- Kill self
- List processes
- Obtain call logs
- Record audio
- Records calls made in the affected phone
- Redirect SMS
- Set listen time
- Set upload time
- Steals messages in the inbox and outbox of the affected phone
- Upload information (GPS information, calls, SMS, log file, contacts)
Recorded calls (.AMR format) and call logs are stored in the following location:
- /sdcard/mtm/data/
It sends the information it gathers to the following remote site using port 2018:
- {BLOCKED}.61ing.com
SOLUTION
Step 1
Trend Micro Mobile Security Solution
Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.
Download and install the Trend Micro Mobile Security App via Google Play.
Step 2
Remove unwanted apps on your Android mobile device
Did this description help? Tell us how we did.