Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

CallerSpy spyware: Possibly the first phase of a targeted attack

A new cyberespionage tool called CallerSpy was revealed by Trend Micro, but exactly what the developer’s intentions are for the malware is still unknown.

CallerSpy was first spotted in May on the typosquatted website https://gooogle[.]press/ where it was advertised as a chat app called Chatrious. Using the misspelled Google name in the URL appears to be the main method of attracting victims and the website goes an extra step by placing fake Google corporate copyright details on the page.

This site almost immediately went silent only to come back again in October, this time under the name Apex App, Trend Micro reported.

The security company believes CallerSpy could be the initial phase of a larger campaign that has either not been fully initiated or even launched as no victims have been spotted nor any detections for it seen on VirusTotal.  

Trend Micro found several confusing aspect of CalllerSpy.

The app’s only ability is to steal information. In many cases threat actors build into the app the advertised capability in order to further camouflage the app’s true malicious nature, but CallerSpy’s only ability is to steal information.

The app only works on Android devices even though options for Mac and Windows is offered on the website. In addition, the icon that is downloaded is labeled “rat” and researchers found bits and pieces of debug code left in the malware.

With that said it is perfectly capable of stealing data. Once downloaded its first function once downloaded is to contact one of four command and control servers to receive info stealing assignments. The malware uses Evernote Android-Job to handle scheduling the thievery.

This includes taking screenshots, collecting call logs, SMSs, contacts and files on the device. This content is stored locally and then periodically uploaded to the server.

In addition to using a misspelling of Google in the URL as a bit of subterfuge the team behind CallerSpy also erased its registrant data.

“Whois Lookup reveals that this domain was registered on February 11, 2019 at Namecheap. However, we found that all the registrant data was untraceable. It is important to note, however, that domain privacy protection is common among domains that Namecheap offers,” Trend Micro said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.