It took 3-years of cat and mouse play, Kaspersky was successful with its background checks against the nature of an Android malware named ViceLeaker. Unlike a general malware type that infects random vulnerable Android device, ViceLeaker is apparently designed to infect users from Middle East countries, for the purpose of large-scale espionage operations. The malware was first detected in 2016, but it only took Kaspersky to actually acquire a sample for further inspection in May 2018. Considered as super spyware which is not only interested in displaying adverts and earn off the device, ViceLeaker exhibits behaviors which are beyond phoning home like typical spyware is.
Kaspersky is comparing its structure to another malware that was being investigated by another antimalware vendor, Bitdefender named Triout. “The analysis of the APK was rather interesting, because some of the actions were very common spyware features, such as the exfiltration of SMS messages, call logs and other data. However, in addition to the traditional functionality, there were also backdoor capabilities such as upload, download, delete files, camera takeover and record surrounding audio,” explained Kaspersky Labs in its official blog.
According to Kaspersky, ViceLeaker uses Baksmali an open-source tool in order to inject malicious code on a harmless app and re-assemble it again as a malicious APK file. Baksmali can be downloaded by anyone from its official GitHub site, primarily designed for non-malicious code injection process useful for Android developers.
Based-on the research done by Kaspersky Labs, the following commands are embedded in the “mutant” apk file that carries ViceLeaker espionage malware:
- Send specified SMS message
- Exfiltrate device info, such as phone model and OS version
- Exfiltrate a list of all installed applications
- Exfiltrate default browser history (limited to a given date)
- Exfiltrate Chrome browser history (limited to a given date)
- Exfiltrate memory card file structure
- Record surrounding sound for 80 seconds
- Exfiltrate all call logs
- Exfiltrate all SMS messages
- Upload specific file from the device to the C2
- Download file from specified URL and save on device
- Delete specified file
- Commands not yet implemented
- Take photo (muted audio) with rear camera, send to C2
- Take photo (muted audio) with front camera, send to C2