SpyDealer is an Android trojan that is able to gain root privilege on devices running versions 2.2 to 4.4, steal data from over 40 applications, and spy on users by recording phone calls, taking photos via front or rear cameras, geotracking, or capturing screenshots. According to Palo Alto, SpyDealer is capable of controlling a device remotely via SMS, UDP, and TCP communications.

According to Palo Alto's Unit 42, SpyDealer’s capabilities include:

  • Using the commercial rooting app “Baidu Easy Root” to gain root privilege and maintain persistence on the infected device
  • Abusing the Android Accessibility Service feature to steal user's messages from communication apps such as WeChat, Skype, Viber, QQ
  • Controlling the device remotely via UDP, TCP, and SMS channels
  • Collecting personal information such as phone number, IMEI, IMSI, SMS, MMS, contacts, accounts, phone call history, location, and connected Wi-Fi information
  • Exfiltrating data from over 40 popular mobile apps including: WeChat, Facebook, WhatsApp, Skype, Line, Viber, QQ, Tango, Telegram, Sina Weibo, Tencent Weibo, Android Native Browser, Firefox Browser, Oupeng Brower, QQ Mail, NetEase Mail, Taobao, and Baidu Net Disk
  • Automatically answer incoming phone calls from a specific number
  • Spying on victims by:
    • Recording the phone call and the surrounding audio & video.
    • Taking photos via both the front and rear camera
    • Monitoring the compromised device’s location
    • Taking screenshots

Technical Analysis

  • Researchers at Palo Alto provide technical analysis here.
  • Researchers at BleepingComputer provide technical Analysis here.