SpyDealer

Security experts have discovered a brand new Android trojan that features a broad range of features that allow it to root Android devices, steal data from over 40 apps, and geo-track phone owners.

Named SpyDealer, the trojan only recently came to light, but researchers say they tracked activity surrounding this new threat going back to October 2015.

During their investigation, experts from Palo Alto Networks say they uncovered 1,046 distinct SpyDealer samples. Of all the samples they've discovered, experts say three versions are still deployed in the wild today: v1.9.1, v1.9.2, and v1.9.3.

SpyDealer is choke full of intrusive feature

The malware itself is quite potent, even if experts have described it as still under development. There are many features included, such as:

The ability to steal data from apps installed on the target's smartphone, such as: WeChat, Facebook, WhatsApp, Skype, Line, Viber, QQ, Tango, Telegram, Sina Weibo, Tencent Weibo, Android Native Browser, Firefox Browser, Oupeng Brower, QQ Mail, NetEase Mail, Taobao, and Baidu Net Disk
The ability to abuse a legitimate Android feature (Accessibility Services) to messages from apps such as WeChat, Skype, Viber, and QQ.
The ability to control the target's phone via UDP, TCP and SMS channels
The ability to take screenshots of the phone's screen
The ability to record audio and video by surreptitious phone calls
The ability to take photos using the front and back cameras
The ability to monitor the phone's geo-location data
Automatically answering incoming phone calls from a specific number
Ability to collect smartphone details such as phone number, IMEI, IMSI, SMS, MMS, contacts, accounts, phone call history, location, and connected Wi-Fi information.

SpyDealer can root one in four Adnroid devices

Most of these features are intrusive and require higher-level privileges. SpyDealer obtains administrator privileges by using a commercial rooting app named "Baidu Easy Root."

This app allows the SpyDealer malware to obtain root privileges on devices running Android versions 2.2 up to 4.4. This amounts to one in every four Android smartphones.

For devices where SpyDealer can't obtain root privileges via Baidu Easy Root, the malware will be content with exploiting the features that do not need higher level privileges. Most of these features are for basic phone data collection.

At the moment, very few details are known about the app and its primary purpose. There is no information about its distribution methods, but Palo Alto says SpyDealer never made it on the Google Play Store. Experts have warned Google, who is now capable of detecting and removing the malware via its newly launched Google Play Protect feature.

Most of the affected users are located in China, and the malware has been seen packed inside apps with the names of "GoogleService" or "GoogleUpdate."

Information detailing the malware's technical capabilities in more depth are available in this report.