A new cyberespionage tool called CallerSpy was revealed by Trend Micro, but exactly what the developer’s intentions are for the malware is still unknown.
was first spotted in May on the typosquatted website http://gooogle[.]press/
where it was advertised as a chat app called Chatrious. Using the misspelled Google
name in the URL appears to be the main method of attracting victims and the
website goes an extra step by placing fake Google corporate copyright details on
almost immediately went silent only to come back again in October, this time
under the name Apex App, Trend
company believes CallerSpy could be the initial phase of a larger campaign that
has either not been fully initiated or even launched as no victims have been spotted
nor any detections for it seen on VirusTotal.
found several confusing aspect of CalllerSpy.
only ability is to steal information. In many cases threat actors build into
the app the advertised capability in order to further camouflage the app’s true
malicious nature, but CallerSpy’s only ability is to steal information.
The app only
works on Android devices even though options for Mac and Windows is offered on
the website. In addition, the icon that is downloaded is labeled “rat” and
researchers found bits and pieces of debug code left in the malware.
said it is perfectly capable of stealing data. Once downloaded its first function
once downloaded is to contact one of four command and control servers to
receive info stealing assignments. The malware uses Evernote Android-Job to
handle scheduling the thievery.
includes taking screenshots, collecting call logs, SMSs, contacts and files on
the device. This content is stored locally and then periodically uploaded to
to using a misspelling of Google in the URL as a bit of subterfuge the team
behind CallerSpy also erased its registrant data.
Lookup reveals that this domain was registered on February 11, 2019 at
Namecheap. However, we found that all the registrant data was untraceable. It
is important to note, however, that domain privacy protection is common among
domains that Namecheap offers,” Trend Micro said.