| Researchers January 10, 2018
January 10, 2018
Lookout has discovered new variants of the SpyWaller surveillanceware with advanced espionage capabilities. The variants now target Facebook Messenger, WhatsApp, and Google Hangouts among others, suggesting they are being used against Western targets.
SpyWaller's continual evolution and sophistication indicates an actor with significant resources is behind its development. Due to this, and that it appears quite targeted, Lookout considers it an mAPT — an APT that has evolved to focus on mobile devices. All Lookout customers are protected from this threat.
The SpyWaller family was first discovered in 2014 and came to the attention of security researchers due to its use of iptables in order to drop network connections made by specific antivirus applications. These early samples were capable of retrieving sensitive information from a number of messaging apps and concealed this malicious functionality in encrypted asset files that were loaded during execution. The actors behind SpyWaller have been busy evolving their tool, according to our analysis of the samples in the Lookout dataset, most notably by expanding the number of apps that it can retrieve data from, and reimplementing all information gathering functionality in native code as opposed to the Java layer.
Applications that the latest versions of SpyWaller targets include AireTalk, BlackBerry Messenger, Coco, Hi, Google Services Framework, Kakao Talk, KeeChat, Zapya, Line, MiTalk Messenger, Oovoo, QQ, Skype, TalkBox Voice Messenger, Telegram, Viber, Voxer Walkie Talkie Messenger, WeChat, WhatsApp, Facebook, Google Hangouts, and Wi-Fi credentials. The majority of these apps are for messaging and communication however others are for file sharing.
The latest SpyWaller variants are capable of accessing the sensitive data of over 20 different apps, in addition to being able to record calls, capture surrounding audio, track a device's location, take pictures with the camera, and retrieve a list of installed packages.
Initial infection is followed by requests to command and control infrastructure for the latest native code component that contains the bulk of SpyWaller's surveillanceware functionality. While we found the native code that is bundled up in the app is somewhat obfuscated, the latest binary served up by attacker infrastructure was not, and contains new code to target Facebook and Google Hangouts. These improvements in capability suggest that the actor behind SpyWaller may be deploying it in campaigns outside of China, where we believe the majority of previous activity to have been conducted.
SpyWaller can attempt to elevate its privileges and most variants have been found to include exploits for local vulnerabilities. Analysis indicates that attacker infrastructure can also provide additional exploits if necessary. If SpyWaller is able to elevate its privileges it attempts to establish persistence by copying various files to the /system/bin/ directory via the dd command. When deobfuscated this full command is:
mount -o remount system /system;dd if=<apk data data directory>/files/update of=/system/bin/update;chmod 6777 /system/bin/update;
The latest versions of SpyWaller primarily communicate on the non-standard port of 5353 to IPs that reside in China. The following addresses are associated to recent SpyWaller variants.
These IPs can be geolocated to within China, visualized in the map above. 4 IPs are concentrated near the Xinjiang province in northwest China, 2 to the coordinates near Shandong, and 1 to each of the remaining highlighted points.
Michael Flossman Security Research Services Tech Lead