Researchers from mobile security outfit Skycure have recently analyzed a malicious app they found on an Android 6.0.1 device owned by a VP at a global technology company.
The name of the malicious package is “com.android.protect”, and it comes disguised as a Google Play Services app. It disables Samsung’s SPCM service in order to keep running, installs itself as a system package to prevent removal by the user (if it can get root access), and also hides itself from the launcher.
They don’t say how the malicious app – a piece of commercial spyware they dubbed Exaspy – found its way onto the victim’s phone, but chances are someone took advantage of the physical access they had to the device to do the dirty deed.
Once installed and run, the malware requests device admin rights, asks the licence number to be entered, hides itself (its presence can be revealed by dialing “11223344”), and finally asks to be granted root access (if the device is rooted).
The spyware is able to:
- Collect chats and messages sent and received via SMS, MMS, and popular email and IM apps (Gmail, FB Messenger, Skype, WhatsApp, etc.)
- Record audio and telephone calls
- Collect pictures and take screenshots
- Collect contacts, browser histories, the contents of the calendar, and so on.
The stolen info is sent to a remote server operated by the attacker.
You can read more in an article by Zeljka Zorz in the HelpNetSecurity.com web site at https://www.helpnetsecurity.com/2016/11/03/android-spyware-business-executives.