Android malware disguises itself as Google+ App

We have received a new Android malware from the Anrdoid market whose icon is like a Google+ app.
This app is particularly dangerous as it gathers GPS data, call logs, text messages and even records phone calls before sending the information off to a remote server.

After installation it asks for the following permissions:

PROCESS_OUTGOING_CALLS
INTERNET
ACCESS_GPS
ACCESS_COARSE_LOCATION
ACCESS_COARSE_UPDATES
ACCESS_FINE_LOCATION
READ_PHONE_STATE
READ_CONTACTS
WRITE_CONTACTS
ACCESS_WIFI_STATE
PERMISSION_NAME
SEND_SMS
READ_SMS
RECEIVE_SMS
WRITE_SMS
WAKE_LOCK
RECORD_AUDIO
WRITE_EXTERNAL_STORAGE
MODIFY_PHONE_STATE
DEVICE_POWER
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
MODIFY_PHONE_STATE
DISABLE_KEYGUARD
WRITE_SETTINGS
DELETE_PACKAGES
KILL_BACKGROUND_PROCESSES
FORCE_STOP_PACKAGES
RESTART_PACKAGES
WRITE_APN_SETTINGS

It may then start any of the following services:

AlarmService
CallLogService
CallRecordRegisterService
CallRecordService
CallsListenerService
CommandExecutorService
ContactService
EnvRecordService
GpsService
KeyguardLockService
LocationService
MainService
ManualLocalService
RegisterService
ScreenService
SendResultService
SmsControllerService
SmsService
SocketService
SyncContactService
UploadService

It is also capable of receiving commands via text messages, but it requires the sender to use the pre-defined “Controller” number.

It also has the capability to automatically answer incoming calls.
Before answering the call, it puts the phone on silent mode to prevent the affected user from hearing it. It also hides the dial pad and sets the current screen to display the home page.

As mentioned previously, the best defense against such malware is to pay attention to the permissions the application is asking for.

Also we have recently released Quick Heal Mobile Security for Android which detects this malware as Android.Nickispy.C..

For more information please visit Quick Heal Mobile security.

Thank you Sandeep for the analysis.

Ranjeet Menon