Home / malware Android.Spywaller
First posted on 25 December 2015.
Source: SymantecAliases :
There are no other names known for Android.Spywaller.
Explanation :
Android package file
The Trojan may arrive as a package with the following characteristics:
Package name: com.schemedroid
Version: 1
Name: Google Service
Permissions
When the Trojan is being installed, it requests permissions to perform the following actions:
Allows applications to write the apn settingsConfigure an application for debuggingStart once the device has finished bootingEnd background processesUse the device's mic to record audioAccess the cameraUse the device's camera to record videoRead or write to the system settingsRead or write the secure system settingsInitiate a phone call without using the Phone UI or requiring confirmation from the userMonitor, modify, or end outgoing callsRead user's contacts dataCreate new contact dataMonitor incoming SMS and MMS messagesReceive WAP push messagesOpen network connectionsRead, write, and send SMS messages on the deviceAccess information about networksCheck the phone's current stateModify of the phone's stateModify audio settingsMake the phone vibrateChange network connectivity stateWrite to external storage devicesRestart packagesAllow access to low-level system logsAccess location information, such as GPS, Cell-ID, or Wi-FiPrevent processor from sleeping or screen from dimmingChange the Wi-Fi connectivity stateAccess information about the Wi-Fi stateRead user's browsing history and bookmarksRead user's call logDisplay alerts
Installation
Once installed, the application will display an icon with a green robot with a white cube on its chest.
Functionality
Once launched, the Trojan hides its launch icon.
If the compromised device is not already rooted, the Trojan will attempt to root it.
The Trojan then gathers information from the compromised device, including the following:
Call dataPicturesContactsSMS messagesEmailsBrowser dataData from social media apps such as QQ, Skype, WhatsApp, and Talkbox
The Trojan then uploads the stolen information to the following remote location:
221.215.87.164
The Trojan may also block the network activity of the following mobile security application, if installed on the compromised device:
Qihoo 360Last update 25 December 2015