A new mobile Remote Access Trojan (RAT) named CallerSpy is targeting Android devices, according to information from TrendMicro. CallerSpy collects personal information such as call logs, SMS text messages, contacts, and files on the device through the use of Evernote’s Android-Job. This library is used to schedule jobs, which will run concurrently in the background. Additionally, this RAT has the ability to receive commands from its Command and Control (C2) server in order to take screenshots, record the environment, upload data, and update the RAT configuration. The malware distribution site gooogle[.]press mimics Google in order to trick users into downloading the app.
Analyst Notes
In its current state, CallerSpy is very obviously a fake application: it has no user interface (UI), no features, uses the default generic Android app icon, and the app name is labeled as “rat”. Debug code was also left in the app, which usually indicates an app is still under development and was not intended to be released yet. As always, great care must be taken when installing any apps that are acquired through non-trusted sources, including websites or alternate app stores. The safest Android app policy is to allow installation of apps only from the Google Play store or other well-known and trustworthy app stores, and then only install well-known apps with a history of many downloads and positive user reviews.
