Android Spy

The threat is known as Android.Spy.377.origin, a remote administration tool (RAT) that disguises itself within applications such as Insta Plus, Profile Checker and Cleaner Pro.

Launching one of these malicious apps will initiate the Trojan to check how popular the mobile device owner is among other Telegram users. This task is accomplished by asking the device owner for their personal ID which will later display the number of visitors to their profile. Threat actors added this feature to try and remove any suspicion of the app being malicious, but the home screen shortcut removes itself in an attempt to hide its presence in the system.

Malicious components of this threat allow Android.Spy.377.origin to copy contact lists, incoming and outgoing SMS messages and Google account data on the device. The Trojan also takes a photo with the front camera to capture the operators face, sending all data to the command and control (C2) server. Capabilities expand further by tracking incoming and outgoing messages, as well as the device location. Threat actors can control the Trojan by sending the following text messages:

• call — Make a phone call .
• sendmsg — Send an SMS.
• getapps — Forward information about the installed applications to the server.
• getfiles — Forward information about all the available files to the server.
• getloc — Forward device location information to the server.
• upload — Upload to the server the file that is indicated in a command and stored on the device.
• removeA — Delete from the device the file specified in a command.
• removeB — Delete a file group.
• lstmsg — Forward to the server the file containing information about all the sent and received SMS, including sender and recipient phone numbers, and message contents.