SpyDealer Rooting Malware Steals Data From Android Devices

Capable of intercepting data from more than 40 apps, the SpyDealer malware has been recently discovered by researchers at the Palo Alto network. The malware has a number of capabilities that allow it to extract personal information from a compromised Android device.

SpyDealer versions

According to the researchers, the malware has different versions. They are 1.9.1, 1.9.2 and 1.9.3. The latest version of the malware, 1.9.3, has all the configuration settings encrypted and contains an accessibility service which allows it to decrypt app databases.

The researchers reported that the malware was probably in digital space since October 2015, given the data obtained from infected devices.

Also, the malware infects Android versions 2.2 till 4.4. Data suggests that 25% of the Android devices are still running on these versions. Nevertheless, the malware can work with later versions as well but with fewer privileges.

Up till now, the malware takes data from 40 different apps that include Facebook, WeChat, WhatsApp and other social media and messaging apps. The malware is codenamed as GoogleUpdate and is available via third-party app stores.

It is not on Google Store which means that users need to be wary of app offerings from unknown app stores.

What does it do?

SpyDealer has a very sophisticated system which allows it to record audio and video, receive calls automatically, retrieve personal messages, determine a person’s exact location along with taking photos.

How does it work?

The malware works by gaining privileges in the infected device. It does this by rooting the device. The exact method by which the malware is installed in the system is not known. However, the following process has been revealed.


The infected device is registered with two broadcasting receivers that listen for certain events to take place. One event is when the device boots up while the other occurs whenever a network connection is established.

If either of the two events occur, the AaTService is launched which subsequently retrieves the readme.txt files that contain all the configuration for the malware.

The file contains the IP address of the C2 server from which the malware gets instructions, the commands for mobile networks and the commands for Wi-Fi networks.


According to Palo Alto Network, once the configuration file is downloaded, the rooting procedure is then started. Versions 1.9.1 and 1.9.2 use the exploits from Baidu Easy Root to gain root privilege. Baidu Easy Root is a third-party commercial app that is usually used to jailbreak a device.

It is mainly used to allow users to access certain settings of their phones that would otherwise be impossible due to security protocols.

The malware essentially downloads a file called raw.zip which contains all the exploits featured in Baidu Easy Root 2.8.3.

Version 1.9.3 along with the other two also use another method to gain root privileges. However, this method does not use Baidu Easy Root. Rather, the procedure executes the files ‘png’ and ‘toor.sh’ to gain root access.


After rooting the target device, the malware executes a file called power manager which creates a backup of the malware. Whenever a user tries to uninstall the malware, it gets reinstalled after which it executes its code.

Connecting with the server

The malware then establishes a connection with remote C2 servers or passively receives commands. There are essentially three channels through which it communicates with the servers; SMS, TCP, UDP.

The SMS channel uses a broadcasting receiver that listens for incoming SMS messages. These messages contain the commands that are to be executed.

Similarly, the TCP connection passively listens for commands from the 396568 port.

The UDP connection, on the other hand, actively establishes a connection with the remote server and receives encrypted commands allowing the attacker to exfiltrate various types of information.

Reading text messages in real time

Many apps encrypt the data that is being transmitted through them. This prevents hackers from hijacking a person’s messaging service. SpyDealer, however, uses accessibility service to receive plain text messages from the screen directly.

The accessibility service is enabled remotely since the attacker has root privileges in the target device.

The ultimate cyberespionage

As mentioned earlier, SpyDealer spies on a victim using a number of different techniques.

It records phone calls and any surrounding audio. To do so, the malware uses a PhoneStateListener to listen for any incoming calls.

Also, the malware records a video through both the rear and front cameras of the infected device. Since Android devices require a preview for recording video, the malware creates a small preview surface measuring 3dip x 3dip in size.

Furthermore, SpyDealer can secretly take photos as well and again creates a small preview surface in order to prevent the user from noticing that a picture is being taken.

Also, an attacker can configure the malware to answer phone calls automatically.

Lastly, the geographic location of the victim can be determined through the malware which uses the phone’s GPS. This functionality is activated whenever the phone’s screen is turned off, and the procedure stops as soon as the screen comes on.

This allows the malware to go undetected since the GPS status bar appears to be inactive to the user. Moreover, the map service of Baidu Easy Root is also by the malware to determine the location based on GSM.

All of the information thus gained is saved in a file with appropriate formats and uploaded to the attacker’s servers.

Sponsored: DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Related Posts