A malware working on older versions of the Android operating system has been identified by researchers from Palo Alto Networks. The researchers named the malware as "SpyDealer" due to its tendency to retrieve sensitive information from infected devices. The malware exploits the same Android operating system vulnerabilities previously used by a commercial rooting app Baidu Easy Root. After rooting the device, it could then start retrieving potentially sensitive information from applications like messaging and social media apps, and web browsers. Some of the affected applications include Android's native browser, Firefox browser, Facebook, and WhatsApp. For other applications not affected by SpyDealer's method of retrieving information, the malware will then abuse the operating system's accessibility features to obtain the desired data. Using this method, messages from applications like Skype, Viber, WeChat, and QQ can then be retrieved by the malware.
Aside from app data, SpyDealer also has the capacity to steal other important information about the device itself, including the device's IMEI and IMSI numbers. In addition, the malware collects other important information like the device's phone number, SMS and MMS data, contacts and phone call history. SpyDealer's access to the phone number allows the malware developers to remotely control the device through SMS. However, there are no available reports yet of an infected device that was remotely controlled by the malware developers. If the device data gathering and remote control capabilities of the malware is not enough to alarm consumers, the malware also has access to the device's camera and microphone. With this access, the malware can take pictures using the device's cameras, record the audio of the device owner's surroundings and take screenshots of whatever is on the screen. Moreover, the malware can also be used to monitor the location of an infected device. Given the long list of its capabilities, it is fitting that the malware is named the SpyDealer and recognized as an advanced form of Android malware.
At this point, the malware can only affect Android devices running Android 4.4 KitKat and older, which still comprise around 25% of the operating system's total user base. However, security researchers who discovered the malware think that it is still in development and therefore, might affect newer versions of the operating system sooner rather than later. It is not yet known how exactly the malware is spread but infected devices seemed to obtain it from compromised wireless networks. For those who only download applications from the Google Play Store, there is not much to fear since it is not distributed over the aforementioned service. Moreover, security checks are in place to prevent any distribution of the SpyDealer malware in the near future.