Security experts have discovered a brand new Android trojan that features a broad range of features that allow it to root Android devices, steal data from over 40 apps, and geo-track phone owners.
Named SpyDealer, the trojan only recently came to light, but researchers say they tracked activity surrounding this new threat going back to October 2015.
During their investigation, experts from Palo Alto Networks say they uncovered 1,046 distinct SpyDealer samples. Of all the samples they've discovered, experts say three versions are still deployed in the wild today: v1.9.1, v1.9.2, and v1.9.3.
The malware itself is quite potent, even if experts have described it as still under development. There are many features included, such as:
Most of these features are intrusive and require higher-level privileges. SpyDealer obtains administrator privileges by using a commercial rooting app named "Baidu Easy Root."
This app allows the SpyDealer malware to obtain root privileges on devices running Android versions 2.2 up to 4.4. This amounts to one in every four Android smartphones.
For devices where SpyDealer can't obtain root privileges via Baidu Easy Root, the malware will be content with exploiting the features that do not need higher level privileges. Most of these features are for basic phone data collection.
At the moment, very few details are known about the app and its primary purpose. There is no information about its distribution methods, but Palo Alto says SpyDealer never made it on the Google Play Store. Experts have warned Google, who is now capable of detecting and removing the malware via its newly launched Google Play Protect feature.
Most of the affected users are located in China, and the malware has been seen packed inside apps with the names of "GoogleService" or "GoogleUpdate."
Information detailing the malware's technical capabilities in more depth are available in this report.