Researchers: Android malware records phone conversations

Researchers have discovered a spy campaign where both computers and smartphones are attacked and hacked routers and proxies are used to hide the identity of the attackers. The attack starts with Word documents that are sent to embassies, researchers, army officials, oil companies and banks in mainly Russia and Eastern Europe. The documents exploit several vulnerabilities in Microsoft Word, according to antivirus company Kaspersky Lab.

Android Malware

The attackers abuse a vulnerability in Word which Microsoft patched in March but which has already been used in attacks. As soon as the malware is activated the attackers use the Swedish cloud service CloudMe and the WebDAV protocol to communicate with infected machines. To mask their identity the attackers use a proxy network of hacked routers that are mainly located in South Korea. According to security company BlueCoat ,the routers are likely taken over due to bad configurations and default login details.

The attackers collect all kinds of data on infected systems which besides computers also includes smartphones. Mobile users are lured to malicious apps through links in email messages. The attackers possibly also use MMS messages to spread links to mobile malware. Security researchers found malware modules for Android, BlackBerry and iOS devices.

The mobile malware is also used to collect information about victims, including phone conversations. Phone conversations of infected Android users are stored in the MP4 format and the  files are periodically send to the attackers. Researchers of BlueCoat state in their report that the attackers deliberately left deceptive traces in the malware to make it harder to find the real identity of the developers. The malware contains words and names from different countries like Spain and India while the attackers are active in European timezones and sometimes leave Chinese malware.

Users can trace infections by monitoring unauthorized WebDAV traffic and by checking whether regsvr32.exe isn’t continuously in the processlist. To avoid becoming infected,  security companies recommend to keep your software up-to-date  to not jailbreak phones, to not install apps from unofficial sources and to be alert on unsolicited  emails with RTF files attached to be alert on MMS messages that offer app updates.