A new piece of Android malware has been discovered. Dubbed KevDroid, the malware is being distributed in the form of a fake anti-virus application called Naver Defender. KevDroid is in fact a remote administration tool that steals sensitive data from infected devices. However, the malware is also capable of recording phone calls.
KevDroid Android Malware Technical Details
KevDroid was first discovered by ESET researchers, and later it was analyzed by Cisco Talos.
Talos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same capabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history) and record the victim’s phone calls.
One variant of the malware has been detected to leverage a known Android exploit – CVE-2015-3636 – in order to get root access on the compromised Android device, the researchers said in their detailed analysis. Furthermore, data collected by both variants was sent via HTTP POST to a unique command and control server. As for the ability to record calls – it has been implemented based on an open-source project available on GitHub.
Researchers are not sure yet who is behind the malware campaign. However, according to South Korean media coverage, the KevDroid malware may be linked to North Korea state-sponsored group known as Group 123 which is behind cyber espionage campaigns.
The current list of malicious capabilities that KevDroid has includes the recording of phone calls and audio data, stealing web history and files, obtaining root access, stealing call logs, SMS, emails, collecting the devices’ location every 10 seconds, and harvesting the list of all installed applications.
What Аre the Consequences of a KevDroid Infection?
If attackers were successful in obtaining some of the data the malware is capable of harvesting, it could result in a number of issues for the infected user, researchers said.
Since mobile phones are used in nearly all activities, they contain tons of sensitive and personally identifiable data, such as photographs, passwords, banking information. An infection with KevDroid could result in the leakage of data, which inexorably could lead to a number of outcomes.
Depending on the victim’s status (such as corporate user), the result of this infection could even lead to the kidnapping of a loved one, blackmail by using images or secretive information, credential harvesting, multi-factor token access (SMS MFA), banking/financial implications and access to privileged information via emails/texts, researchers warned. Many users access their corporate email via mobile devices.