Fake Google+ App Eavesdrops On Calls

Researchers at Trend Micro are reporting a new mobile Trojan that has the ability record phone calls, answer incoming calls, and respond to remote commands that arrive via SMS.

ANDROIDOS_NICKISPY.C is a Trojan Android App that uses the Google+ icon and installs using the name Google++. Like Nickispy.A and Nickispy.B before it, Nickispy.C records mobile phone calls. The newer version, Nickispy.C, also collects data such as text messages, call logs, and GPS locations. All the collected data is uploaded through port 2018 to a remote site.

From Trend Micro

Like other ANDROIDOS_NICKISPY variants, ANDROIDOS_NICKISPY.C also has the capability to record phone calls made from infected devices. What makes this particular variant different is that it has the capability to automatically answer incoming calls. Before answering the call, it puts the phone on silent mode to prevent the affected user from hearing it. It also hides the dial pad and sets the current screen to display the home page. During testing, after the malware answered the phone, the screen went blank.

Trend notes that since the MODIFY_PHONE_STATE permission was disabled in Android 2.3, the "auto-answering' function only works on Android 2.2 and below.

In general, Android malware is more numerous and more creative than malware currently being designed for iOS and even the Symbian OS. For example, in June the DroidKungFu malware had the capability to create a mobile botnet, a rogue network of compromised devices. This followed the release of the Geinimi Trojan, another botnet creating Trojan, in March in the largely unregulated Asian Android market. While Nikispy isn't building a botnet, future iterations might include the capability.