Android malware steals data from popular apps like WhatsApp and Facebook

Security firm Palo Alto Networks has published an analysis of Android malware it calls SpyDealer. It targets devices with outdated Android versions and uses a variety of techniques to steal data, for example from popular apps.

The malware is most effective on devices with Android versions between 2.2 and 4.4, because the root technique used only works on those versions. However, on newer variants, the malware could still get hold of data, the company said. According to recent statistics from Google, about a quarter of all Android devices still run on those old versions. To gain root access, SpyDealer uses the Baidu Easy Root app.

Palo Alto Networks says it is not sure how the malware is distributed, as it does not appear in Google’s Play Store. The company says it has indications that Chinese users are being infected via malicious Wi-Fi networks. The malware is said to have been in use for about a year and a half and it appears that it is still in development. SpyDealer is able to receive commands through a command and control server.

In this way, the malware is able to perform a large number of actions. For example, he can steal data from 40 popular apps, such as Facebook, WhatsApp and Telegram. The malicious software does require root access for this. For example, the malware tries to read the databases of the various apps and retrieve contacts. Using the accessibility service, the malware can access the content of messages displayed on the screen, the company said.

SpyDealer’s other functionality is voice, audio and video recording. In addition, it is possible to take screenshots, find out the location of the device and access text messages, phone information, call history, contacts and Wi-Fi information. Finally, calls from a certain number can be answered automatically. The company has informed Google of its findings.