Android Stalkerware MonitorMinor spies, steals & evades

The new Android Stalkerware also intercepts text messages. Here’s what else it can do…
MonitorMinor Android Stalkerware

The new Android Stalkerware also intercepts text messages.

Amidst all the global panic surrounding a plague, it turns out that malicious attackers are still keen to do their job. In the latest, a new stalkerware named MonitorMinor has been discovered by Kaspersky which has the ability to steal user data and also track it.

For those of you unfamiliar with the term, stalkerware is basically any program that someone may install on your device to spy on you, this could be a spouse or perhaps any other family member. This is essentially what separates it from spyware which is not installed deliberately but finds its way through vulnerabilities in the victim’s device instead.

See: Cookiethief Android malware hijacks Facebook accounts without password

To start with, MonitorMinor operates by infecting the system partition through its installation. Once done, it can intercept and read messages from a range of famous communication apps including Gmail, Facebook, Instagram, Kik, Hangouts, Viber, Skype, Snapchat & many more.

This is in addition to the traditional functionality found in such malware which is to only intercept SIM messages and calling data along with leaking the victim’s location making it a much more sophisticated case.

Now, one may wonder, how does it establish a direct app-to-app communication channel to access the data from the aforementioned apps when this is clearly prohibited in Android’s Sandbox protection? It does so by installing a superuser(SU) utility that grants it root access bypassing the traditional controls and hence accessing other apps on the device.

Furthermore, it can carry out a range of other actions including but not limited to:

  • Accessing the hash sum value for the authentication mechanism in place such as passwords and hence unlocking the device itself,

  • Controlling the device by giving commands by SMS,

  • Using the device’s microphone to record sound,

  • Viewing the stored contacts, Google Chrome’s browsing history, usage statistics of specific apps, system logs, the real-time video being recorded and content in the device’s internal storage.

In the event that it fails to get the SU utility installed, it can still perform certain actions without escalated privileges. It does so by misusing the built-in accessibility services API which allows it to intercept the events occurring within other applications.

When MonitorMinor acquires root access, it remounts the system partition from read-only to read/write mode, then copies itself to it, deletes itself from the user partition, and remounts it back to read-only mode. After this “castling” move, the application cannot be removed using regular OS tools,” said researchers in their blog post.

However, this isn’t the first time such a tactic has been used. A couple of weeks ago we saw a malware named Shopper do the same representing a growing trend.

An example of Whatsapp messages intercepted using this method: Kaspersky

MonitorMinor is superior to other tracking apps that can be used for stalking purposes in many aspects. It implements all kinds of tracking features, some of which are unique and is almost impossible to detect on the victim’s device. If the device has root access, its operator has even more options available. For example, they can retrospectively view what the victim has been doing on social networks.

Concerning its market share, Kaspersky has reported India to be in the lead at 14.71%, Mexico at 11.76% with Germany, Saudi Arabia & the UK following. Moreover, a Gmail account was found having an Indian name in the malware’s code indicating that it to be originating from India although this can be a trick to conceal its original source.

But that’s not all. Reportedly the control panel was also been found in the Turkish and English language hinting at a more complex background of the attackers.

See: Fake WiseCleaner website spreading CoronaVirus ransomware

To conclude since this particular app has features not found in others of its kind, users apparently need to take more precautions in order to guard against it. This can involve disabling the accessibility services API as a whole if one does not need any such feature to regularly scanning one’s phone using good anti-virus software.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts