Security Alert: New NickiBot Spyware Found in Alternative Android Markets
By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
While investigating the recent NickiSpy spyware, my research team identified a new variant called NickiBot.
We believe it belongs to the same NickiSpy family. However, it is significantly different from previously reported
ones in that it is fully controlled by SMS messages instead of relying on a hard-coded C&C server for instructions. In addition, our
investigation shows that NickiBot supports a range of bot commands, such as for (GPS-based) location monitoring, sound recording
and (email-based) uploading, calllog collection, etc. It also has a check-in mechanism to a remote website.
Getting started
NickiBot is designed to be a spyware. When being installed, it will request information about
an email address to receive the recorded audios and a so-called Safeone phone number to receive
the running status such as various functionalities being enabled or disabled. After that, NickiBot
will run in the background silently without showing any icon on the home screen. If you open up the
"Application Setting" to show the list of installed apps, it will give the name "Android System Log."
Checking-in
After the launch, NickiBot will first collect the phone's IMEI number, then attempt to connect to a remote server (http://www.*****.com/xxxxxxxxxx/index.php?IMEI_Yan), and wait for server's response.
NickiBot will not continue unless the response from the server clearly indicates so. By providing
the IMEI number in the check-in message, NickiBot presumably runs only
on the phones allowed by the remote server.
Receiving and executing SMS Commands
Different from its precedents, NickiBot receives the commands via SMS messages. In the sample we analyzed, NickiBot supports the following commands:
- record: Record the sounds in the phone. This command can be used to record the phone calls, the surrounding sounds and etc.
- contact: Send the contacts data in the phone to the preconfigured email address.
- boot: Enable/disable the booting notification functionality, which will send SMS message to preconfigured phone number after booting.
- log: Enable/disable phone calls monitoring.
- sendlog: Send the phone calls logs to the preconfigured email address.
- sms: Enable/disable SMS messages monitoring.
- sendsms: Send the SMS messages in the phone to the preconfigured email address.
- gps: Enable/disable GPS location monitoring.
- state: Check and reports the monitor status (which functionality is enabled or disabled) of the phone.
- all: Enable/disable all the monitoring functionalities.
When a SMS message is received, NickiBot will check whether it is an intended SMS command. If yes, it will then invoke the corresponding functionality.
The following code snippet shows that NickiBot can record the surrounding sounds and send out the
recorded sounds to a preconfigured email address. If there is no preconfigured email address, the recorded
audio will be sent to a hardcoded email (*****xxxxxxx@163.com).
Mitigation:
We found this spyware in an unofficial Chinese Android market. To the best our knowledge,
we do not find the threat in the official Android Market. For mitigation, please follow basic,
common-sense guidelines for smartphone security. For example,
- download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
- check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
- be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.
Follow-ups:
- 08/09/2011: This article goes public.
- 08/01/2011: We detected an instance of NickiBot.
Last modified: August 9th, 2011