SpyDealer malware can hack your Facebook, WhatsApp and almost 40 other accounts

Researchers have identified a malware that can hack 40 or more social media accounts, including Facebook and WhatsApp, on Android systems.

The malware is called SpyDealer, and it can only run on Android operating systems between 2.2 Froyo and 4.4 Kitkat. The current OS is 7.1.2 Nougat.

However, that can still affect millions of phones globally, with some estimating that up to 500 million phones may be at risk, approximately 25 percent of active Android phones today.

Researchers at Palo Alto network looking at the malware identified that the code could steal personal information from social media accounts, including contact information, phone numbers, call history, Wi-Fi information and the device’s location history whenever the screen is turned off.

SpyDealer Malware affects Android

Once the malware is installed, it begins hacking into the root process of your phone, taking over basic controls. Older versions used Baidu Easy Root, a third party app, to hack into the root privileges. However, the most recent version instead uses a file called raw.zip that has all the exploits Baidu uses to gain root privileges.

It could also listen in on phone and text conversations and take photos without the user’s control from either camera, or screenshot what’s on the screen, and can even answer a phone call without user input.

If a user tries to uninstall the trojan, SpyDealer uses the power manager file to create a backup of itself, preventing a user from effectively removing the malware.

Researchers have not identified how the malware spreads or how devices become infected. However, compromised users have popped up internationally, including in China, where a compromised wireless network apparently infected multiple devices.

Google has promised to develop new protections in order to help users avoid the malware infection.

Spydealer Malware on the loose 

The malware has existed for at least two years, according to researchers, and multiple versions of it are traversing the globe. The oldest documented case of the malware was October 2015. Versions 1.9.1, 1.9.2 and 1.9.3 are currently documented, and researchers expect that the malware will release more updated to keep up with security soon.

The malware was likely not spread through the Google Play app store that Androids rely on, but instead is likely being passed off as a normal Google software update that tricks unwitting users into downloading the software onto their phones.

Many of the targeted apps are social media sites, like TeamSnap, suggesting SpyDealer may have originated there.

As of June, researchers have documented more than 1000 incidents of SpyDealer infecting a phone, with thousands more potentially unreported.

Another malware campaign, WannaCry, made news this May when it infected more than 200,000 individuals and businesses, seizing computers and forcing users to pay a random in order to regain control. The attack hit major corporations, including the United Kingdom’s National Health Services and FedEx. Computers that updated their security settings were able to avoid the attack, but outdated computers were infected en masse over a period of four days.

Later in May, yet another malware campaign hit Android users. The Judy malware was found in all 41 apps released by Korean company Kiniwini, which sometimes updates to the Google Play store under Enistudio. Researchers have estimated the virus has hit between 8.5 to 36.5 million users globally.

Google Play responded swiftly to the malware, removing any apps that contained the code and taking steps to prevent it from spreading again. However, users should ensure that any apps that contain the Judy character – such as in Chef Judy: Picnic Lunch Maker or Fashion Judy: Magic Girl Style – are uninstalled from their phones.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s