Android SpyDealer Trojan is able to spy on more than 40 apps

Pierluigi Paganini July 09, 2017

Security experts at Palo Alto Networks have discovered a new Android Trojan dubbed SpyDealer that can steal data from more than 40 applications.

Malware researchers at Palo Alto Networks have spotted a new  Android Trojan, dubbed SpyDealer that can exfiltrate data from more than 40 applications, including WeChat, Facebook, WhatsApp, Skype, Line, Viber, QQ, Tango, Telegram, Sina Weibo, Tencent Weibo, Android Native Browser, Firefox Browser, Oupeng Brower, QQ Mail, NetEase Mail, Taobao, and Baidu Net Disk.

“Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.” states the analysis published by PaloAlto Network.

SpyDealer steals messages from communication apps using the Android accessibility service feature and leverages the exploits from a commercial rooting app called Baidu Easy Root to gain rooting privileges and to maintain persistence on the target.

The mobile malware only works Android versions from 2.2 up to 4.4 releases (roughly 25% of all Android devices), that are the versions supported by the rooting tool.

Once installed, the malware registers “two broadcast receivers to listen for events related to the device booting up and network connection status.”

Even when the malware is not able to root the device, it is able to steal a significant amount of sensitive data.

Attackers can remotely control the infected Android device via UDP, TCP and SMS channels.


The SpyDealer Trojan can gather a huge quantity of information from the target devices, including the phone number, IMEI, IMSI, SMS, MMS, contacts, accounts, phone call history, location, and connected Wi-Fi information. It can also answer incoming phone calls from a specific number, can record phone calls and the surrounding audio and video, can take photos with the device’s cameras, monitor location, and take screenshots.

The malware is also able to answer calls from a specific number, can record phone calls and can work as a spying device, recording calls and the surrounding audio and video, it can also take photos using device’s cameras, take screenshots, and track the device location.

The good news is that SpyDealer isn’t distributed through the official Google Play store, the malware experts observed Chinese users being infected compromised wireless networks.

PaloAlto Networks believe the malware is under active development, the researchers already detected 1,046 samples of SpyDealer belonging to at least three differed variants.

The first variant spotted is dated back October, 2015, the last one was created in May, 2017, this means that the SpyDealer Trojan has been active for more than 18 months.

“As of June 2017, we have captured 1046 samples of SpyDealer. Our analysis shows that SpyDealer is currently under active development. There are three versions of this malware currently in the wild, 1.9.1, 1.9.2 and 1.9.3. Starting from 1.9.3, content of configuration files and almost all constant strings in the code are encrypted or encoded.” states the analysis. “An accessibility service was also introduced in 1.9.3 to steal targeted apps’ messages. According to our dataset, most of these samples use the app name “GoogleService” or “GoogleUpdate”. The most recent sample we have observed was created in May, 2017 while the oldest sample dates back to October, 2015, indicating this malware family has been active for over a year and a half.”

According to the experts, at the first launch, the malware retrieves configuration information such as the C&C IP address from the local asset file named readme.txt. 

“The first line of this file indicates the IP address of a remote C2 server, the second line configures what actions the malware can take on mobile networks, and the third line specifies what actions are allowed under a Wi-Fi network.” continues the analysis.

The SpyDealer malware used three different C&C channels and supports more than 50 commands.

Further information is included in the analysis published by PaloAlto Networks.

[adrotate banner=”9″]

Pierluigi Paganini 

(Security Affairs – SpyDealer Trojan, Android)

[adrotate banner=”13″]

you might also like

leave a comment