JSocket: Android malware that hijacks legitimate apps

AlienSpy reincarnated is back with a new set of tools designed to steal your data.
Written by Charlie Osborne, Contributing Writer

JSocket, the protege of AlienSpy, has been transformed with enhanced capabilities designed to take over your mobile devices as well as traditional PCs.

Mobile malware is on the rise. While not as commonplace or featured in the news as much as PC threats, as our smartphones and tablets now act as valuable repositories of our sensitive information, they have become enticing targets for attackers.

Unfortunately, mobile remote access trojans (RATs) are surging in popularity as successful infections can open devices to remote control and data theft. JSocket is one such RAT which has recently evolved to match modern security protections and attack both our PCs and mobile devices.

First discovered in June this year, JSocket -- most recently known as AlienSpy -- is described by Fidelis in a new report as a "reincarnation" of previous malware. Not only can Java-based JSocket control Linux, Mac and Windows PC systems remotely, but the malicious code is also able to affect mobile devices.

As an example, JSocket is able to take existing mobile apps and embed malware so victims can remain infected all the while using otherwise fully functional and legitimate software on their Android mobile devices.

If you have removed inbuilt security systems through jailbreaking your device, you are also granting JSocket access to a wider variety of areas to infiltrate.

"For instance, by taking a fully legitimate Angry Birds application, you could infect it with JSocket and the end-user would just see Angry Birds and it would work as expected," the security team says. "The reality is their phone would be infected and the attacker would have complete control."

JSocket's Android capabilities do not end there. The malware is able to remotely control and access microphones and cameras, use a mobile device's GPS systems to track victims and both modify and view text messages and phone call data.

The JSocket Trojan tends to spread through e-mail attachments masquerading as invoices, purchase orders and other financial documents which vary depending on the campaign.

To infect mobile devices, the Trojan is loaded into apps downloadable outside of the official Google Play store, as the malicious code requires an Android APK to function.

Fidelis says:

"JSocket has had rapid development of its feature set and the author behind the malware has proactively added features to detect bugs and enhance its functionality.

Additionally, the author of JSocket is monitoring the security community and taking active steps in JSocket's development to evade detection and response to infections. JSocket is active and responsive to support requests."

This is not the only example of mobile malware developed with remote access capabilities. The security team from Recorded Future have analyzed malware samples revealing cyberattackers from Iran targeting Android systems through RATs. NjRAT and XtremeRAT are common examples used in Syrian surveillance campaigns and attacks launched against Israeli, Egyptian, and Saudi Arabian targets.

JSocket has also been discovered in global phishing attacks and was found this year on the mobile phone of Argentinian prosecutor Alberto Nisman, murdered in his bathroom days before the federal prosecutor was due to release a report on the workings of the country's government.

The security firm says over 2000 samples have been registered in the wild, with infections mainly centered on the US, Canada, Ireland and Belgium.


If deployed to infect a device, JSocket could be used to spy upon and stalk victims for government and intelligence reasons or as a gateway to steal credentials to break into corporate networks.

There is always a risk associated with jailbreaking a device -- mainly as you void your warranty -- but with more malware tailored for rooted devices appearing, your personal security has now become a more crucial factor to consider in jailbreaking your smartphones or tablets.

Fidelis suggests that both consumers and business users do not root their devices in the first place, and to ensure the security setting "Allow installation of non-Market applications" is not turned on. In addition, you should always check what permissions a mobile app requests upon installation -- as it is a common practice for mobile malware to request everything.

10 things you didn't know about the Dark Web

Read on: Top picks

Editorial standards