Windseeker spyware app implements advanced injection and hooking techniques

Security experts at Lacoon Mobile Security detected a malicious app dubbed Windseeker which uses rare injection and hooking techniques to spy on users.

Windseeker is a malicious Android app which attracted experts at Lacoon Mobile Security, the principal characteristics of the app are its injection and hooking techniques used to spy on mobile users.

The techniques are rare in the mobile ecosystem, Windseeker runs on rooted Android devices and allows attackers to spy on popular instant messaging apps in China, WeChat and QQ.

The discovery is anyway, worrying as remarked by Avi Bashan, CISO at Lacoon Mobile Security, who explained that these kind of threat could be used to spy data of any other application.

“While this tool is intended for use in China due to the intended targets as Chinese instant messaging apps (WeChat and QQ) and monitored chats being in Chinese, it’s important to understand that this type of threat could be implemented anywhere.” wrote Bashan in a blog post.

As usual happen, such kind of malicious apps is distributed through third-party app marketplaces, the installation of Windseeker needs attacker has physical access to the Smartphone.

Differently from other mobile apps used to spy on users, Windseeker implements injection and hooking techniques instead steal data from device memory neither from its file system.

The injection mechanism has two different phases, in a first step the app deploys a native file that uses the ptrace process, and that is also used to inject a second file  into the targeted instant messaging app. In the second stage the injected native file loads a java file that allows to monitor messaging app activity through the API hooking.

“Hooking over an API code means that every time the app calls to the API, instead of going directly to the system, [data] is intercepted by [the attacker]. When it’s on the device itself, it’s called ‘hooking;’ when it’s over the network, it’s called a man-in-the-middle attack. PC malware has done this for years.”

“This kind of hooking technique is not common in the mobile area. Up until now, commercial mobile surveillance apps usually obtained an app’s data through the file system or through a memory dump.

This hooking technique marks a new step in the evolution of malicious activity in mobile, which resembles the way PC-based malware has also evolved over the years. It’s only a matter of time until we see these adopted techniques become widespread and move into general mass-targeting mobile malware.”  states the post.

Protect yourself:

• Avoid rooting your mobile device.
• Avoid installing applications from untrusted third-party app marketplaces.

Pierluigi Paganini

(Security Affairs – Windseeker, mobile)