Researchers have discovered a new strain of Android spyware that can make its way through WhatsApp conversations. The malware code was found in a public repository on GitHub titled as “OwnMe.” The malware uses the default MainActivity class to launch the OwnMe service. A pop-up message will then be displayed to the user saying, “service started,” implying that the malware is still in the developmental phase. The malware defines a number of variables that contain empty fields. Once the malware is called, it will start with a “startExploit” function. If it has access to the internet, a connection to a server will be established. The malware has an unfinished screenshot function and another function that was created to compromise WhatsApp data. This particular function will upload the victim’s WhatsApp database to a C&C server along with the username and android_ID variables that were hijacked in the startup process. Times, titles, and URLs can be grabbed from the victim’s bookmarks via a function called “getHistory.” This function will only fetch saved bookmarks and cannot scan through the entire browsing history of victims. The victim’s contacts are also a target which includes call logs, names, and phone numbers if the malware is permitted to read the victim’s call history. The last few functions seen include gallery and camera access along with a function to read the battery level and the ability to check CPU usage. To ensure persistence, the malware will restart itself each time when the device is rebooted. It appears that the malware has not been released in the wild since it is unfinished at the time of writing this article.
