NickiSpy.C - Android Malware Analysis & Demo

Recently I got the chance to dig into a nice little piece of Android spyware, commonly known as 'NickiSpy.C'. I've also seen it referred to as NickiBot, as well as NickiSpy.A and NickySpy.B. Some anti-virus companies even refer to it as NickySpy.g. [As a quick aside, can we please get some standardization on the naming of spyware/malware?] For the sake of consistency, I'll simply be referring to this sample as NickiSpy.C. This specific sample is just one of many in a large family of spyware named, you guessed it, NickiSpy.

A quick rundown on the current A/V detection on this sample can be seen at Virustotal.

For those unfamiliar, NickiSpy gained quite a bit of notoriety around July/August 2011, as it was one of the first malicious Android applications to have the ability to record phone calls. The first iteration, NickiSpy.A, had a few goals in mind. First (and arguably the most notable), it would record phone calls to the device's SD card. The sample also sent the device's IMEI (think of it as a unique ID for the device), to a phone number in China. Additionally, it would also record the device's GPS coordinates, and make connections to a remote server on a subdomain of 56mo.com (also in China).

Since this initial release, the NickiSpy family of spyware has made a few revisions. NickiSpy.C is one of the newer variants and was released sometime in August. NickiSpy.C is often found repackaged in legitimate applications in order to avoid detection. In the specific sample I analysed, it was repackaged in the Google+ application. Noting the timeframe of when this sample was originally seen, it would make sense as Google+ was still quite new at this point, and getting a lot of attention. The NickiSpy samples traditionally have appeared on third party Chinese Android markets, and to the best of my knowledge have not been seen on the official market at the time of this post.

Like most pieces of Android spyware/malware, installation is dependant on the end-user. Unfortunately, as NickiSpy.C is often bundled with legitimate software, it is difficult for end-users to determine if they are about to install a malicious program or not. Due to the level of detail regarding permissions utilized by Android applications, it is difficult to distinguish between legitimate application permissions needed, and those that may be used by malicious components. As an example, the Google+ application will of course need Internet access, as it needs to go online and see what fun new things your friends are doing at the moment (Zack, I honestly don't care if you're on your bike or about to eat some Chipotle). However, who's to say that this application is also accessing a server on the Internet and uploading personal information collected from your phone? This, in my opinion, is one of the biggest reasons that Android malware is being propogated to end-users. However, that's a topic for another time.

Configuration

Configuration of the NickiSpy.C sample is done in the com/google/android/setting/FunctionSettingModel class. As shown below, there are a number of configuration options available for the attacker to specify. The first setting which jumps out to most people is the 'Service' setting, which appears to be a blob of binary that gets passed to the StringUtils.decrypt function.

Screen shot 2011-10-25 at 1.06.20 PM

A quick look at what decrypt is doing. Using the last value as an example ('110110100000'):

Screen shot 2011-10-25 at 1.37.21 PM

The decrypt function begins by converting this binary integer into a decimal value. In this case it becomes 3488. The decrypt function then calls the count function, which determines how many trailing zeros are present in the binary representation. In this case '110110100000' has 5 trailing zeros. The decrypt function then performs a bitwise right shift to essentially remove these trailing zeros. In short, '110110100000' turns into '1101101'. The decrypt function wraps up by returning the ASCII representation.

'1101101' => '109' => 'm'

This is performed on every binary number provided, which will result in a domain and/or IP address. In this case it returned <removed>.61ing.com, which is registered in China.

A few of the other settings found in the FunctionSettingModel class are shown below:

  • Port - port used to connect to domain/ip found in the 'Service' setting
  • BeginTime / EndTime - timeframe for when this spyware is run. In other words, this spyware will restart every night at midnight.
  • IsAll / IsGps / IsSms / IsCall / IsRec / IsContact - Various boolean parameters specifying what content should be collected.
  • IsFirst - Boolean value specifying if this is the first time this spyware is running.
  • Controller - Phone number of the 'controller', which is allowed to execute SMS commands on the victim's device.
  • Password - Password needed to execute SMS commands against the victim's device.

Installation

As mentioned earlier, NickiSpy.C must be manually installed by a user. Once installed, NickiSpy.C does not actually start running its malicious services until the device is rebooted. When it loads, the following services are started:

  • UploadService
  • SocketService
  • AlarmService
  • MainService
  • SmsControllerService

Screen shot 2011-10-25 at 1.53.59 PM

Screen shot 2011-10-25 at 1.54.17 PM

While these services are running, nothing malicious is actually performed until an activation SMS message is received.

Control

Control of this spyware is primarily performed via SMS, which is a unique attribute to this variant. The specification for a command is shown below:

# <command> # <password> # <option>

Where <command> is a number between 1 and 20, <password> is the password specified in the configuration, and (in the event of initialization) <option> is the phone number which receives a notification via SMS.

A full list of commands is shown below:

Screen shot 2011-10-25 at 3.22.40 PM

The command of '17' will initialize the NickiSpy.C spyware, which begins the following services:

  • CommandExecutorService
  • RegisterService
  • ContactService
  • SmsService
  • LocationService
  • CallsListenService

Additionally, a SMS text message is sent to the phone number specified, and an initialize packet is sent to the remote server.

Screen shot 2011-10-25 at 3.10.56 PM

Network Traffic / Features

Analysis of the communication was done primarily on the wire. Would simply looking at the source code have been easier? Yes. Would it have been more fun? I vote no.

When the SMS initialize command above is sent to NickiSpy.C, the following packet is sent to the server:port specified in the configuration:

Screen shot 2011-10-25 at 2.00.29 PM

The first four bytes specify the length of the data portion of the packet. The following 5 bytes appear to be a flag of some sort. In this case, 00 00 00 09 80 equate to an 'initialize' command. Other flags I've mapped out include those for text messages, contact list modification/additions, recorded phone calls, and pings. These were uesd to create a mock server in ruby which responds to these commands appropriately.

The following 15 bytes are used to indicate the victim phones IMEI, or unique identifier. The bytes which are found after vary based on the command/information being sent. In the event of this specific initialize commands, the remaining information includes the password being used. In the event that a correct response is not received by the server, the NickiSpy.C variant will not be initialized. It is possible this password is checked against the remote server as another layer of defense against researchers, however, I did not face such complications during my dynamic testing.

In addition to the collection of SMS messages, GPS coordinates, contacts, this variant also records phone calls (like other NickiSpy variants). These recorded phone calls are stored on the SD card in the following location:

/sdcard/mtm/data/

Another pretty nifty feature of this variant is its ability to 'eavesdrop' on unsuspecting victims. When a call is received from a number specified in the spyware configuration, the victim's phone is muted, the screen is configured to go black, and the call is automatically answered. What this results in is the ability for an attacker to essentially use your phone's microphone to spy on you when you are not actively using your phone. I don't know about you, but I immediately think of a James Bond movie when I see this, which makes the little kid in me--I'll say it--giddy. However, then I think of this happening to me, or someone in my family, and I immediately come back to reality.

Some caveats to this feature are the fact that the phone must be in the locked stated. If it is not in the locked/idle state, this will not be executed. Additionally, only Android 2.2 and earlier are affected, as Android 2.3 removed the ability to change a phone's state without consent.

I could go on and on writing about the functionality, but being the visual person that I am, I figured a small movie might be equally enjoyed. Therefore, I made the following demonstration of NickiSpy.C's more interesting features. Apologies, as I, unlike some of my co-workers, do not have a Star Wars introduction in this video :/

As you can see, this sample has a decent level of sophistication. From its ability to record phone calls, to its ability to allow an attacker to eavesdrop on unsuspecting victims, to its ability to receive instructions via SMS, this sample is quite scary in many scenarios. The scenario I immediately come up with is a savy business tycoon type (read: the Monopoly guy), who happens to download this guy hiding in his favorite application. Before he knows it, attackers have gained access to his address/contact list, allowing them to call Bill Gates, Conan O'Brian, and President Obama. Not only that, but the attacker has gained access to all SMS messages and recorded phone calls, allowing him to get tons of insider information about the soon-to-be buyout of Park Place, Boardwalk, and all of the Railroads. And just because that wasn't enough, the attacker also has the ability to eavesdrop on the Monopoly guy, which prompts him to discover that he's having an affair with that pretty young secretary. If you haven't figured out by now, I have an active imagination. That being said, this piece of spyware can be truly devastating for whomever the victim is. Let's add to the equation that currently only about half of the big anti-virus companies currently identify this sample, along with the fact that very few people run anti-virus on their phones. Lets also add the fact that every subdomain I identified in the samples I looked at is still online and actively receiving connections on port 2018, and probably has been for quite some time.

Have I scared you yet? Because I'm slightly shaking as I write this (granted, that could be due to excessive coffee/lack of a bathroom break). I'll leave everyone with some parting words of advice/encouragement. The only way to (currently) get this guy on your device is for you or someone with access to your phone to download it. Because of this, if you follow best practices you're unlikely to get infected. Anti-virus companies still have a ways to go, as so many still do not catch this variant. That being said, running a security application on your device will certainly help protect it from malicious threats. Additionally, pay close attention to the permissions required by applications you download. This specific variant uses upwards of thirty different permissions, which should immediately raise a red flag. A simple way to go about it is, "Does this application really need the ability to do 'X'?" If the answer is no, you may want to reconsider downloading it. Finally, be sure to only download Android applications from reputable, trusted sources, in order to lessen the likelihood of malicious applications being present.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.