According to Mark Balanza, Androidos Nickispy.C does not display an icon on the infected device, and uses a variety of service calls on the smartphone or tablet computer.
This malware is notable, he says, for using Google+ - Google’s recently released social network - when trying to hide itself from the user. When installed, the malware pops up the Google+ icon,and apparently installs itself with a `Google++' name tag.
As with other malware of its type, Nickispy.C is capable of collecting data from the device, including text messages, call logs, GPS locations and then uploads the data to a remote URL via Port 2018 on the device,
“It is also capable of receiving commands through SMS. To do so, however, requires the sender to use the predefined `controller' number from the malware’s configuration file to send the message, as well as enter a password, for the command to be executed”, he says in his latest security posting.
Unlike other Nickispy variants, he adds, this version of the malware has the ability to answer an incoming call automatically, subject to certain system conditions being present.
Before answering the call, Balanza says that the malware places the phone in silent mode - to prevent the device user from hearing it - and also hides the dial pad, setting the main (current) screen to display the home page.
However, the Trend Micro threat researcher adds, during testing after the malware answered the phone, the screen went blank.
“From the looks of it, the developer behind this app went for the more real-time kind of eavesdropping as well, apart from the one being used by Nickispy.A that involves the recording of the call”, he says, adding that the malware only runs on Android 2.2 or below.
This is because, he notes, the modify_phone_state permission was disabled in Android 2.3.