Windseeker spyware app implements advanced injection and hooking techniques

Security experts at Lacoon Mobile Security detected a malicious app dubbed Windseeker which uses rare injection and hooking techniques to spy on users.

Windseeker is a malicious Android app which attracted experts at Lacoon Mobile Security, the principal characteristics of the app are its injection and hooking techniques used to spy on mobile users.

The techniques are rare in the mobile ecosystem, Windseeker runs on rooted Android devices and allows attackers to spy on popular instant messaging apps in China, WeChat and QQ.

The discovery is anyway, worrying as remarked by Avi Bashan, CISO at Lacoon Mobile Security, who explained that these kind of threat could be used to spy data of any other application.

“While this tool is intended for use in China due to the intended targets as Chinese instant messaging apps (WeChat and QQ) and monitored chats being in Chinese, it’s important to understand that this type of threat could be implemented anywhere.” wrote Bashan in a blog post.

As usual happen, such kind of malicious apps is distributed through third-party app marketplaces, the installation of Windseeker needs attacker has physical access to the Smartphone.

Differently from other mobile apps used to spy on users, Windseeker implements injection and hooking techniques instead steal data from device memory neither from its file system.

The injection mechanism has two different phases, in a first step the app deploys a native file that uses the ptrace process, and that is also used to inject a second file into the targeted instant messaging app. In the second stage the injected native file loads a java file that allows to monitor messaging app activity through the API hooking.

“Hooking over an API code means that every time the app calls to the API, instead of going directly to the system, [data] is intercepted by [the attacker]. When it’s on the device itself, it’s called ‘hooking;’ when it’s over the network, it’s called a man-in-the-middle attack. PC malware has done this for years.”

“This kind of hooking technique is not common in the mobile area. Up until now, commercial mobile surveillance apps usually obtained an app’s data through the file system or through a memory dump.

This hooking technique marks a new step in the evolution of malicious activity in mobile, which resembles the way PC-based malware has also evolved over the years. It’s only a matter of time until we see these adopted techniques become widespread and move into general mass-targeting mobile malware.” states the post.

Protect yourself:

Avoid rooting your mobile device.
Avoid installing applications from untrusted third-party app marketplaces.

Pierluigi Paganini

(Security Affairs – Windseeker, mobile)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.