Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

We found a new spyware family disguised as chat apps on a phishing website. We believe that the apps, which exhibit many cyberespionage behaviors, are initially used for a targeted attack campaign. We first came across the threat in May on the site http://gooogle[.]press/, which was advertising a chat app called “Chatrious.” Users can download the malicious Android application package (APK) file by clicking the download button indicated on the site.


The website became inactive for months after that encounter in May. We only noticed that it came back in October, this time with a different app called “Apex App.” We have identified this as a spyware family that can steal user’s personal information. Trend Micro detects both of the threats as AndroidOS_CallerSpy.HRX.



Figure 1. Screenshots of Chatrious (left) and Apex App (right)


Behavior analysis


CallerSpy claims it’s a chat app, but we found that it had no chat features at all and it was riddled with espionage behaviors. When launched, CallerSpy initiates a connection with the C&C server via Socket.IO to monitor upcoming commands. It then utilizes Evernote Android-Job to start scheduling jobs to steal information.



Figure 2. CallerSpy initiates C&C connection (left) and then starts scheduling jobs (right)


CallerSpy sets several scheduling jobs to collect call logs, SMSs, contacts, an ..