James Delahunty
3 Aug 2011 14:51
CA Security Advisory details Android call snooping trojan.
There has been a lot of attention focused lately on the growth of malware in circulation for the popular Android smartphone operating system. Some past discoveries include applications that leak private information on Internet and other use, record text messages and information on calls made and received which can be uploaded to a remove server.
This new Trojan takes things a step further by actually recording phone calls to local storage in the AMR format before uploading them to a server specific by the attacker.
The Trojan dubs itself the "Android System Messenger" and asks for permission upon installation to be allowed to incept outgoing calls. This should act as a warning for users, but the truth is most users see these messages all too often and end up just ignoring them. The same problem is seen with User Account Control prompts on Windows, where users allow a program to execute even if they have no idea what it is.
When installed, the malware drops a configuration file to the device which will include information on the remote server to upload the files. When a call is made, the conversation is recorded to a .amr file located in a directory "shangzhou/callrecord". The directory hints at a Chinese origin for the malware.
The amount of malware targeting Android has exploded in the past year, due to the large use of "unauthorized" App markets, though the number of dodgy applications even found in Google's market has increased dramatically. Android's wide usage globally also gives every incentive for malware peddlers to target it.