A Github repository exists for AndroSpy spyware for Android

SonicWall Threats Research team identified a version of AndroSpy in the wild. Interestingly, there exists a Github repository for this version of the malware. This repository was created a few months back and appears to be fairly active.

Sample specifics

• MD5: 1749d7830b1593fbe9eec1946002dee7
• Application Name: Critical Device Settings
• Package Name: com.kernel32.criticalprocess

This app requests a number of dangerous permissions, few of them are listed below:

• WRITE_EXTERNAL_STORAGE
• READ_EXTERNAL_STORAGE
• READ_CALL_LOG
• WRITE_CALL_LOG
• CAMERA
• READ_SMS
• ACCESS_FINE_LOCATION
• RECORD_AUDIO
• READ_CONTACTS
• WRITE_CONTACTS
• SEND_SMS
• BIND_DEVICE_ADMIN
• RECEIVE_SMS
• WRITE_SMS
• PROCESS_OUTGOING_CALLS
• DELETE_PACKAGES
• SYSTEM_ALERT_WINDOW
• ACCESSIBILITYSERVICE

This version of AndroSpy boasts a number of functionalities, some of them are listed below:

• Access camera
• Access files
• Live microphone
• Keylogger
• SMS manager
• Shell terminal
• Access contacts
• Call Logs
• Check installed apps
• Live screen
• Disable Google Play Protect

Similar threats

Searching for this app on Virustotal showed a number of related apps, some with different names and icons:

This indicates that this threat is being used and propagated with malicious intent. As mentioned earlier, the attacker server ad other configurations can be viewed under resources>res>values>strings

Additional observation

The github repository shows a BTC wallet address for donations towards this project:

Overall this is a spyware that is available on Github as a framework. This spyware is being used as legitimate application in some cases.

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

• AndroidOS.Androspy.GT

Indicators of Compromise:

• 1749d7830b1593fbe9eec1946002dee7
• 603b7c441289ff7a15d3a458add66f2d
• 0e9d6812f7ed7f912fab2f74e143ea76
• 4f48d7d1258d52db555e0aae4b5136d6
• 93c0c8c706a219d4194110035898f36d