DDSpy disguises itself as Gmail and runs silently in the background. It shows no icon but hides in the app list, and communicates with its command server via SMS. “Android client-side trojan malware”, says Kim Titus, senior director and head of corporate communication at NQ Mobile, “is the next evolution. We are seeing a proliferation of malware that work in stealth mode for instance, hiding icons and encrypting outbound device data to command and control servers and delivering payloads that only activate in specific situations.”
NQ Mobile’s warning is the latest in a series of alerts on SMS malware, a threat it believes will escalate. This malware traditionally makes its money by making unauthorized calls to premium numbers. Now it is evolving into traditional malware, able to receive instructions from a remote server and to exfiltrate data on demand. This means the business model is changing. Unauthorized premium calls can be expensive for the victim; theft of bank details could be disastrous.
One new development with DDSpy is the – so far unused – inclusion of a GPS hook; which suggests further development is likely. Titus explained the possible relevance. “Trojan malware,” he told Infosecurity, “can be designed to activate based on a specific GPS or cell site location. Location-based malware is more difficult to detect and may well use technology that evades anti-virus detection. This hiding of the malware makes detection difficult. As a result, malware authors don’t have to re-engineer their malcode as often. Even they are looking for ways to keep their costs down.”
There is another possibility, perhaps more in keeping with the premium number business model. “Malware authors will also look to exploit the ad behavioral platform,” warned Titus. “The GPS / cell site location link could very well be correlated to this. Just as mobile adware displays on a device without permission and are becoming very common especially with app developers, so it’s no surprise that app and ad behavior tracking will continue to be more common. This will be a main revenue driver for mobile location-based ads (and of course adware and spyware) in the coming months and years.”
The problem for the user is that DDSpy is adept at hiding itself, and gives few obvious clues on its presence. “It is particularly insidious as it covers its tracks well,” explained Titus. “There is no icon, it just waits quietly in the background for instructions from a command center. As it creates a database of information stolen from text messages, call logs and even voice calls, users might not know about it until they fall victim of full blown identity theft.”