Security Alert: New NickiBot Spyware Found in Alternative Android Markets

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

While investigating the recent NickiSpy spyware, my research team identified a new variant called NickiBot. We believe it belongs to the same NickiSpy family. However, it is significantly different from previously reported ones in that it is fully controlled by SMS messages instead of relying on a hard-coded C&C server for instructions. In addition, our investigation shows that NickiBot supports a range of bot commands, such as for (GPS-based) location monitoring, sound recording and (email-based) uploading, calllog collection, etc. It also has a check-in mechanism to a remote website.

Getting started

NickiBot is designed to be a spyware. When being installed, it will request information about an email address to receive the recorded audios and a so-called Safeone phone number to receive the running status such as various functionalities being enabled or disabled. After that, NickiBot will run in the background silently without showing any icon on the home screen. If you open up the "Application Setting" to show the list of installed apps, it will give the name "Android System Log."

       

Checking-in

After the launch, NickiBot will first collect the phone's IMEI number, then attempt to connect to a remote server (http://www.*****.com/xxxxxxxxxx/index.php?IMEI_Yan), and wait for server's response. NickiBot will not continue unless the response from the server clearly indicates so. By providing the IMEI number in the check-in message, NickiBot presumably runs only on the phones allowed by the remote server.



Receiving and executing SMS Commands

Different from its precedents, NickiBot receives the commands via SMS messages. In the sample we analyzed, NickiBot supports the following commands: When a SMS message is received, NickiBot will check whether it is an intended SMS command. If yes, it will then invoke the corresponding functionality.



The following code snippet shows that NickiBot can record the surrounding sounds and send out the recorded sounds to a preconfigured email address. If there is no preconfigured email address, the recorded audio will be sent to a hardcoded email (*****xxxxxxx@163.com).

Mitigation:

We found this spyware in an unofficial Chinese Android market. To the best our knowledge, we do not find the threat in the official Android Market. For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,

Follow-ups:

Last modified: August 9th, 2011