Hardware Fragmentation Thwarts Android Call-Recording Trojan

Threats making or transmitting unauthorized audio recordings are not a new concept, though they have largely been limited to proof-of-concept demonstrations and final-year university projects. This is a vector that generates a lot of intrigue from researchers, as it pertains to many facets in security, such as data loss prevention and mobile threats, not to mention the changing face of the threat landscape. It is also something we have blogged about previously. Thus, when we received several inquiries about an Android threat we discovered over a week ago, and its ability to upload recorded voice conversations to a remote sever, I decided to take a second look at the threat Android.Nickispy.

This app was available on multiple sites in China, where it has been promoted as a solution for concerned users to confirm suspicions of infidelity by tracking a significant other’s calls and whereabouts. The author had clearly stated the purpose, so anyone installing this app could not be mistaken in its intentions. Now, that’s not to say someone couldn’t install it on another person’s phone. Still, on completion of installation, the app actually shows up with an icon marked Speech Recorder, clearly visible to the user.

Despite the fact there have been multiple reports of the app uploading the recorded voice conversations to a remote sever, our analysis has found no such functionality. It can record calls; however, physical access to the device is required in order to retrieve them. Still, the app does have the ability to send data such as the GPS location and call and SMS logs to another remote server hosted by the creator of this app. For the “suspicious husband or wife” to obtain this tracking data, they then have to pay the app’s author to obtain it.

If there was ever a reason to be grateful about the so-called “hardware fragmentation” issue surrounding Android devices, this is it. Due to the fact that not all Android hardware works the same way, we have found that if used on a real phone, as opposed to an emulator, the results can be quite different. After testing with several mobile phones in our lab, the majority of the devices we used resulted in the app crashing and abruptly ending the call. We only found one device that ran the threat successfully.

In an interesting twist, we were able to track down info about the creator of this app as a result of the continuous crashes. By doing an online search on the crash details in the accompanying error logs, we found a posted crash dump of the exact same issue on an Android developer forum, in which a developer was asking for urgent help with the code he or she was working on. A closer look at details of the posted crash dump showed that it had the same package name used in the threat. Still, it doesn’t look like they got all the bugs out since last year (posted July 15, 2010), because it’s still crashing most of the time on a real phone.

While I believe threats that attempt to make or transmit unauthorized recordings should be taken seriously, given the ubiquitous nature of smartphones, this isn’t necessarily one of those cases. Beyond the usual blog recommendations where we suggest best practices for security and updating definitions, I offer the following suggestion: if you find yourself to be in need of such an application, take the direct route and talk to your significant other instead.