[Home » Mobile » Hacking Group Spies on Android Users in India Using PoriewSpy](https://blog.trendmicro.com/trendlabs-security-intelligence/) Hacking Group Spies on Android Users in India Using PoriewSpy **[Posted on: January 29, 2018 at 12:00 am](https://blog.trendmicro.com/trendlabs-security-intelligence/2018/01/)** **[Posted in: Mobile,](https://blog.trendmicro.com/trendlabs-security-intelligence/category/mobile/)** [Targeted Attacks](https://blog.trendmicro.com/trendlabs-security-intelligence/category/targeted_attacks/) **Author:** [Mobile Threat Response Team](https://blog.trendmicro.com/trendlabs-security-intelligence/author/mtrteam/) _by Ecular Xu and Grey Guo_ [Home » Mobile » Hacking Group Spies on Android Users in India Using PoriewSpy](https://blog.trendmicro.com/trendlabs-security-intelligence/) **0** [We have been seeing attacks that spy on and steal data from specific targets on the mobile platform](https://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/) since late 2017. We discovered the malicious apps victimizing Android users in India, and believe a hacking group—one previously known for victimizing government officials—carried out the attacks. We identified these malicious apps as PoriewSpy (detected by Trend Micro as ANDROIDOS_PORIEWSPY.HRX). We also suspect that the group used malicious apps built using DroidJack or SandroRAT (detected as ANDROIDOS_SANRAT.A), based on similarities in [their command-and-control (C&C) server. DroidJack is a remote access Trojan (RAT) that allows](https://blog.trendmicro.com/malware-gotta-catch-em-all/) intruders to take full control of a user’s Android device when installed. [The operators behind these malicious apps might be related to a suspected cyberespionage group](http://www.securityweek.com/pakistan-apt-group-targets-indian-government) discovered in 2016, but it’s possible that the group may be launching different attacks unrelated to their previous campaign. **_PoriewSpy turns device into an audio recorder, steals other device info_** Existing as far back as 2014, PoriewSpy steals sensitive information from victims’ devices such as SMS, call logs, contacts, location, and SD card file list. It can also record victims’ voice calls. The malware was developed from an open-source project called android-swipe-image-viewer, or [Android Image Viewer, which the malware operator/s modified to add the following components:](https://github.com/chiuki/android-swipe-image-viewer) **Permissions** android.permission.INTERNET Allows applications to open network sockets android.permission.RECORD_AUDIO Allows applications to record audio android.permission.ACCESS_NETWORK_STATE Allows applications to access information about networks android.permission.READ_SMS Allows applications to read SMS messages android.permission.READ_LOGS Allows applications to read the low-level system log files android.permission.GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service android.permission.READ_CONTACTS Allows applications to read the user’s contacts data android.permission.READ_CALL_LOG Allows applications to read the user’s call log. android.permission.READ_PHONE_STATE Allows read only access to phone state android.permission.WRITE_EXTERNAL_STORA Allows applications to write to external storage. GE android.permission.READ_EXTERNAL_STORAG E Allows applications to read from external storage. android.permission.RECEIVE_BOOT_COMPLETEAllows applications to receive the D ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting android.permission.BATTERY_STATS Allows applications to collect battery statistics aandroid.permission.ACCESS_FINE_LOCATION Allows applications to access fine(e.g., GPS) location android.permission.ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks android.permission.ACCESS_COARSE_LOCATIO Allows applications to access coarse (e.g., Cell-ID, WiFi) N location android.permission.ACCESS_MOCK_LOCATION Allows applications to create mock location providers for testing android permission CHANGE NETWORK STATE Allows applications to change network connectivity state ----- **Services** AudioRecord Main espionage component LogService For log collection RecordService Audio record **Receivers** OnBootReceiver Auto start after device reboot BatteryReciever For device power connect action CallBroadcastReceiver Handle Call actions NetworkChangeReceiver Handle device network actions CameraEventReciver Handle Camera related actions _Figure 2._ _Services and_ _receivers_ _added by the_ _malware_ _author/s to_ _the modified_ _Android_ _Image_ _Viewer_ PoriewSpy apps were automatically downloaded from malicious websites visited by users. When the malicious app is launched, it will initially show nude photos of an Indian actress, but will later hide its icon to obscure itself from users’ sight. When the user calls using an infected device, the malware will start recording the audio, which it saves to /sdcard/.googleplay.security/ named as _“_VoiceCall_” + currentTime. It can also turn the mobile device into an audio recorder to timely_ record audio every 60 seconds even when the user is not having a phone call. _Figure 3. Code snippet of malware performing offline audio recording on user device_ Apart from secretly recording audio using the affected device, the malware can also write and steal contacts, SMS, call logs, and location information. _Figure 4. Code snippet of malware stealing contacts from user device_ _Figure 5. Code snippet of malware stealing SMS content from user device_ ----- _Figure 6. Code snippet of malware stealing call logs from user device_ _[Figure 7. Code snippet of malware accessing http://mylocation.org to steal the user device’s](http://mylocation.org/)_ _location related to its IP address. Note: the malware can still compromise the user even when they_ _are outside India or South Asia._ _Figure 8. Code snippet of malware stealing location information from user device through GPS or_ _network_ In our research, we also found a malicious app, named after an Indian model-actress, which bears similarities to the code of PoriewSpy apps. Created in 2014, we speculate that this is an earlier version of PoriewSpy that also shares the same C&C server with some of the latest ones. The malicious app is capable of stealing call logs, contacts, SMS, SD card file list, and audio recording. _Figure 9. Left: Configuration code of the seemingly earlier version of PoriewSpy. Right:_ ----- Apps built using DroidJack also appear to have been used by the hacking group behind PoriewSpy, based on the C&C servers they share. The operators disguised these DroidJack-built apps as freeCall, BatterySavor, Secure_Comm, and Nexus_Compatability. The malicious apps are capable of obtaining all necessary permissions for an Android device’s main functions, including accessing, modifying, and executing calls, SMS, phonebook, camera, audio recorder, as well as enable or disable Wi-Fi connectivity. **_The C&C servers of PoriewSpy and DroidJack-built apps_** Some of PoriewSpy’s C&C servers were located at 5[.]189[.]137[.]8 and 5[.]189[.]145[.]248, while some of the DroidJack-built apps’ were at 93[.]104[.]213[.]217 and 88[.]150[.]227[.]71. Our research revealed that these four C&C servers were previously used by a hacking group who allegedly engaged in cyberespionage activities. The abused IPs 5[.]189[.]137[.]8, 5[.]189[.]145[.]248, and 93[.]104[.]213[.]217 can be traced back to a legitimate hosting service provider based in Germany. Meanwhile, 88[.]150[.]227[.]71’s is in the UK. 62[.]4[.]2[.]211, the C&C server of the initial version of PoriewSpy used by some of the latest versions, belongs to a service provider in France. The hacking group also used draagon[.]ddns[.]net, located in South Asia. _Figure 10. The chart above shows the connections between the C&C servers of PoriewSpy and_ _DroidJack-built apps, and the suspected cyberespionage group. The green dots represent the_ _current malicious samples. IPs colored in yellow are the ones used by the group in their previous_ _campaign, while the ones in red are presumably the extension to the mobile platform._ The period PoriewSpy and DroidJack-built apps became active also appear to match that of the hacking group’s campaign. It was observed that the activities of the abovementioned mobile malware became active in late 2015 to early 2016, which was around the same period the hacking group’s campaign was also active. **_Countermeasures_** Targeted attacks on mobile devices may be few compared to ones for desktops or PCs, but the discovery of PoriewSpy and other malicious apps that spy on the mobile platform should caution users of the threat that may come their way if their devices remain unsecured. Downloading only from legitimate app stores can prevent PoriewSpy and DroidJack-built apps from compromising your mobile device. It is also important to be aware of what apps are allowed to access, and [to understand the risks before accepting any terms or granting certain permissions to apps.](https://www.trendmicro.com/vinfo/us/security/threat-intelligence-center/mobile-safety/) End users and enterprises can also benefit from multilayered mobile security solutions such [as Trend Micro™](https://www.trendmicro.com/en_us/forHome/products/mobile-security.html) [Mobile Security for Android™ which is also available on Google Play. For](https://www.trendmicro.com/en_us/forHome/products/mobile-security.html) [organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and](https://www.trendmicro.com/en_us/forHome/products/mobile-security.html) application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites. Trend Micro’s MARS covers Android and iOS threats using leading sandbox and machine learning ----- We disclosed our findings to Google, who stated that none of the abovementioned malicious apps are on Google Play. Updates were made to Google Play Protect to defend against new and existing similar threats. **_Indicators of Compromise (IOCs)_** SHA256 App Label Package Name cc84045618448e9684e43d5b9841aacedae94c2177 com.google.seccom.sqisland.android.swipe_im 862837c5a9e29c73716a90 urity age_viewer 34331ed1d919a1b3f6aeeb5ef7954b4101aabc54514com.google.seccom.sqisland.android.swipe_im d67611c26f284e459024d urity age_viewer 2eb74656d63c0998ad37cf5da7e2397ddbb5523ad6 com.google.seccom.sqisland.anwdroid.sipe_im ee0ca9847fa27875d0420e urity age_viewer 230ddf07a868ccae369b891bc94a10efd928ff9c0c2f com.google.seccom.sqisland.android.swipe_im b2e44451e32167d2c2b7 urity age_viewer 6b2ef1b5fab6fcc4167d24c391120fb5a4d1cdf9d75acom.google.seccom.sqisland.android.swipe_im e16352219f1939007fcc urity age_viewer 43142a836aa0d29dfbd55b0e21bb272e4f34ffd15cc com.google.seccom.sqisland.android.swipe_im fb4424f1f8c3502b6ca7c urity age_viewer 26cc93bcc141262bbbbc66e592dde2e6805b4007ef freecallv3 net.droidjack.server 35844a7ee0ebcd27f2aef4 e6753bba53d7cca4a534c3089f24cd0546462667d1 10c0d48974f9e76714fe1c 563ebffbcd81d41e3ddb7b6ed580a2b17a6a6e14ec6 bf208c9c22d7a296de7ae 46c91f72e63c0857c30c9fea71a3cabf24523b683a5 e77348343940072fb7371 8b64a32e386d7cc51bb761bee8959bb5cac20e79ae 1e549b04b7354e67bdee66 f529ccdee54c53e4c02366713ec2d2e8ff629fe56b2f 5778f9f7d31f809e4446 8d89c1e697fc1bc1c18156bd12b3b44efbf551dbe07 7af23e560a4516df06143 **_C&C servers_** 74[.]208[.]102[.]80 5[.]189[.]137[.]8 5[.]189[.]145[.]248 93[.]104[.]213[.]217 draagon[.]ddns[.]net 88[.]150[.]227[.]71 62[.]4[.]2[.]211 Nexus_Compat ability net.droidjack.server Rabia_Secrets net.droidjack.server BatterySavor net.droidjack.server Secure_Comm net.droidjack.server Sannia_Secrets .. net.droidjack.server Shivali Rastogicom.poonam.panday # Related Posts: **[GhostClicker Adware is a Phantomlike Android Click Fraud](https://blog.trendmicro.com/trendlabs-security-intelligence/ghostclicker-adware-is-a-phantomlike-android-click-fraud/)** **[Toast Overlay Weaponized to Install Several Android Malware](https://blog.trendmicro.com/trendlabs-security-intelligence/toast-overlay-weaponized-install-android-malware-single-attack-chain/)** **[April Android Security Bulletin Addresses Critical H.264 and H.265 Decoder Vulnerabilities](https://blog.trendmicro.com/trendlabs-security-intelligence/april-android-security-bulletin-addresses-critical-h-264-h-265-decoder-vulnerabilities/)** **[Untangling the Patchwork Cyberespionage Group](https://blog.trendmicro.com/trendlabs-security-intelligence/untangling-the-patchwork-cyberespionage-group/)** Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [PoriewSpy](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/poriewspy/) ----- **0 Comments** **[TrendLabs](https://disqus.com/home/forums/trendlabs/)** [1](https://disqus.com/home/inbox/) **Login**  Recommend # ⤤ Share Sort by Best This discussion has been closed. ✉ **Subscribe** d **[Add Disqus to your siteAdd DisqusAdd](https://publishers.disqus.com/engage?utm_source=trendlabs&utm_medium=Disqus-Footer)** � **[Privacy](https://help.disqus.com/customer/portal/articles/466259-privacy-policy)** [Home and Home Office](http://www.trendmicro.com/us/home/index.html) | [For Business](http://www.trendmicro.com/us/business/index.html) | [Security Intelligence](http://www.trendmicro.com/us/security-intelligence/index.html) | [About Trend Micro](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣](http://www.trendmicro.com.au/au/home/index.html) [Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html) [North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html) [Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies Copyright © 2018 Trend Micro Incorporated. All rights reserved.](http://www.trendmicro.com/us/about-us/legal-policies/index.html) -----