Android spyware in development plunders WhatsApp data, private conversations

The malware's code hosts a variety of surveillance functions and is available to the public.
Written by Charlie Osborne, Contributing Writer

A new strain of Android-based spyware able to rifle through WhatsApp conversations has been discovered as an open development project online.

The malware, originally discovered by ESET researcher Lukas Stefanko, is not only able to compromise WhatsApp messages but also contains a variety of standard surveillance features.

An investigation into the new spyware (.PDF) conducted by G DATA SecurityLabs uncovered the malware's code in a public repository titled "OwnMe" on GitHub.

The malware consists of a MainActivity.class which launches the OwnMe.class service. A pop-up message is then shown to the Android user with the text, "Service started," which implies the malware is still in development.

With the exception of malicious code such as ransomware, the majority of malware families will attempt to hide their presence in infected devices through covert operations and obfuscation techniques.

In the cases of spyware and stalkerware, especially, you do not want a victim to know they are being watched -- and so such a message would not likely be included in the final build.

The service also defines a number of variables which contain empty fields -- at least, for now.

See also: The ultimate guide to finding and killing spyware and stalkerware on your smartphone

After being called, the service begins with the startExploit() function. If the spyware has Internet access, a connection to a server is established.

CNET: Google promises Chrome changes after privacy complaints

The malware has a number of interesting features. However, some of which appear to be unfinished, such as a screenshot function element uncovered in the software's code.

"However, no actual screenshot function is called and nothing is sent to the server in here," G DATA says. "This furthermore strengthens our thesis that this function is yet still under development."

Another function has been created to compromise WhatsApp data. This function uploads the user's WhatsApp database to a command-and-control (C2) center using a .php query, as well as the username and the android_id variables taken from the startup process.

TechRepublic: The 10 most common types of malware, and how to avoid them

The malware is also to use a function named getHistory() to grab titles, times, URLs and visits from user bookmarks. However, this function only fetches saved bookmarks and, at least at present, is not able to rifle through the full browsing histories of victims.

Contacts are also a target, which is typical of spyware variants. Names and phone numbers, as well as call logs, if the malicious app has been granted permission to read Android call histories.

Gallery access and camera functions are also compromised, and the malware also contains a function which checks battery levels and CPU usage.

"However, there is no implementation for a message check like with the commands above and hence that command is not actively used yet," the researchers note.

In order to maintain persistence, the malicious app will restart itself on reboot.

The malware is still in development and may not be released into the wild. However, the creation of new Android malware is no surprise with mobile malware development and deployment on the rise.

App47 estimates that mobile malware variants have risen by 54 percent since 2016, an increase from 17,000 to 27,000 currently known variants.

In August, Bitdefender researchers uncovered a different form of Android spyware. Dubbed Triout, the malware has the ability to record phone calls, monitor text messages, steal media content and track user locations.

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards