Android spy apps Annual Report of 2017

Posted by Alex Zaah filed under Cell phone spy

As Android devices keep getting smarter and more popular around the world, many people and organizations are building spywares for this platform for special purposes, such as logging phone book, call logs, text messages, locations and call recordings etc and sending these data back to their server without the phone owner knowing. Furthermore, some Android spy apps are even able to read data and information from other apps like WhatsApp, Gmail, Skype, Facebook, and Twitter.

Well certainly that’s not all. As I discovered, some apps could even download and install apps from remote servers in the background as per instructions, or use the infected device to attack other cell phones.

According to a report from Tencent, the number of Android spywares saw a 20% yoy growth in the past year. In the meantime, Android devices infected with spy apps are also growing steadily.

Here I would prepare an annual report on Android spy apps and sum up theirs functions.

Chrysaor, Android’s version of Pegasus

Google and Lookout lab discovered a most sophisticated spy app last march called Chrysaor, which was used to attack activist and journalist in Turkey, Mexico, Israel and Georgia. It’s said that the application could be created by a Israel spy company NSOGroup who developed an iOS based spy app Pegasus to attack The United Arab Emirates human – rights activist.

Chrysaor could not only steal users’ privacy, but also uses the camera and microphone to spy on its owners’ every move. What’s more, it has a smart mechanism of self destruction, this is why it was only discovered three years later after its debut.

Some of its fascinating functions include.

1.Collect private information from popular apps like Gmail, Skype, Facebook, Twitter, Viber and Kakao.
2.Control the remote handset via text messages.
3.Monitor and log video and voice call in the background.
4.Take keyboard and screenshots.
5.Disable system auto update in case vulnerabilities fix.
6.Auto self destruct to avoid detection.

The app will trigger auto-destruction in cases

1.Invalid SIM, or MCC ID.
2.There are security docs in the device.
3.Continuous disconnection from the server for up to 16 days.
4.When it receives such instructions from the server.

Chrysaor takes advantage of the Framaroot vulnerability to gain root access and full control of the target device to steal private data from other apps. In the meantime, it seems NSOGroup also integrated many Android zero day vulnerabilities code into the newer version of Chrysaor.

Lipizzan spy apps family

Google revealed an Android spy app which was believed to be one of the Lipizzan family last August. The application was created by a company called Equus Technologies, it disguise itself as cleaner or backup apps in various app stores to get itself distributed into thousands of Android handsets.

Once installed, it will scan the device and acquire root access, upload text messages, phone book, email and other apps’ private data to the server.

xRAT, a variant of Xsser mRAT

Lookout published a few report on xRAT last September, the report pointed out that it a kind of variant of Xsser mRAT that attacked the protesters in Hong Kong. They have the same code structure, decryption key and naming convention. This means they are built by the same team or company.

xRAT can do a lot of things as follows

1.Log web browsing record.
2.Obtain handset info like model, maker, IMEI number etc.
3.Log text message, phone book, call log.
4.Log WiFi info like SSID and password.
5.Log location info.
6.Log Email info like ID and password.
7.Log all application installed including user and system apps.
8.Log SIM card info
9.Connect to remote server.
10.Download file to certain folder or delete files or folders.
11.List folders and files and view their info and contents.

xRAT can remove itself too. It will scan and find anti-virus apps or cleaners and inform the developer.

Apps take advantage of vulnerability of CVE-2015-3878

VE-2015-3878 was first revealed last October and shortly spywares take advantage of it was found. The spy app found by Tencent could hide its icon and run in the background to steal user privacy and execute the code received from the server. It can run on Android devices running 5.0 and 6.0.

The functions include:

1.Hide the icon and its whereabouts.
2.Record the screen or take screenshots and upload them.
3.Intercept text messages.
4.Upload WiFi info to the remote server.
5.Execute codes or commands from the server.


Trend technology found a new spy app called GnatSpy which was believed to have connections with the notorious organization APT-C-23. Researchers believe it’s a variant of the more common spyware VAMP, but more dangerous. The latter was used to attack the education and military establishments in the middle east, target OS include Android and Windows.

However it’s still unknown how the victims were infected. One speculation would be the app disguise itself as Android settings or Facebook update to make people install it. The app was not widely seen so researchers tend to think it target certain people or organization.


Skygofree was first discovered by Kaspersky lab a month ago, and was believed to be developed by an Itlian company which is very active in the security software industry. Since its release in 2014, many more functions have been added, including location based recording, steal info from WhatsApp using Android Accessibility services, and connect the infected devices to WiFi network controlled by the attacker.

The newest version of Skygofree could root the target device and create a reverse shell to execute commands from the server and let the attacker take full control of the device.

Major capabilities include:

1.Log and upload audio files like call recordings.
2.Record surrounding sounds when the victim is in a certain area.
3.Log location info using GPS.
4.Log location of cell towers, LAC, CellID etc.
5.Steal keyboard or pasteboard data.
6.Search and upload files to the server.
7.Received instructions via text message, HTTP or XMPP.
8.Create a WiFi network and force the victim to connect.
9.Root the device using vulnerabilities like CVE-2013-2094, CVE-2013-2595, CVE-2013-6282, CVE-2014-3153 and CVE-2015-3636.
10.Steal data from Line, Viber, WhatsApp, Facebook和 Facebook Messenger.
11.Monitor live message of WhatsApp using Android Accessibility service.

Some services created by the app:

  • AndroidAlarmManager – upload the latest .amr audio
  • AndroidSystemService – Audio recording
  • AndroidSystemQueues – Location logging
  • ClearSystems – GSM location logging(CID,LAC,PSC)
  • ClipService – Pasteboard logging
  • AndroidFileManager – Upload data
  • AndroidPush – XMPP C&C protocal(
  • RegistrationService – HTTP based registration ofC&C(

Commercial spy apps

There are now many commercial spy apps out there which have almost the same functions as spywares although they are advertised as parental control or Find My Android. You can find a lot of such apps in various app stores or websites. The major difference would be you need to buy and install it on the target device.

Most commercial spy apps have below functions:

1.Log text messages and call log.
2.Track target phone’s location.
3.Log web browsing history and bookmarks.
4.View photos and videos.
5.Steal other private info like Email or pictures.

With the development of spyware and commercial spy apps, many remote access Trojans (RAT) surfaced. RAT is more common in the black market, it infects computers and mobile devices and then communicate with the server, upload various private data. Major Android RATs include DroidJack, SpyNote, AndroidRAT , dendroid, DarkComet and OmniRAT.

Here I will take Spynote as an example and detail how it works.

Open the tool and it will prompt you to enter a public port. Below you can see that it successfully connected.

Now click Tools -> Build to create an app. Here you need to provide a few parameters like a public available port and host, application name, server name and version.

Once the app is being created, you can install it on any Android device and Spynote will hide itself automatically. And yes now you can control it from the server.

What can Spynote do? Well a lot, include but not limited to:

1.Create an app and bind to any app.
2.Control the handset from a computer.
3.View, transfer and delete any file.
4.Send, receive and view text messages.
5.Manage phone book and calls.
6.Monitor the microphone.
7.Application management.
8.GPS tracking.
9.Execute commands.

I uploaded Spynote 3.2 for download and test (Java and framework 4.5+ required). With a server or a local computer with public IP, you can build a server to control a wide range of Android devices.

How to stay away from spywares?

I would recommend a few as follows.

1.Do NOT install apps from sources you do not know.
2.Set up a pin code or pattern or fingerprint so that no one can use your handset without your permission.
3.Update your Android to the newest version available.
4.Install a security app could be a better option.

Copyright © 2009 Profone Tracking by Alex Zaah. All Rights Reserved.