Android Malware KevDroid Records Audio and Harvests Sensitive Data

Android Malware KevDroid Records Audio and Harvests Sensitive Data

Recently, a new Android malware has been spotted which was caught being distributed in the form of a bogus antivirus application named “Naver Defender”. Dubbed as “KevDroid”, this new Android malware is a remote administration tool that steals sensitive data from the affected devices. What’s more is that it can also record phone calls on the infected devices.

This new Android malware was discovered first by the ESET researchers and was later analyzed by Cisco Talos. According to Cisco Talos, there are two variants of the Android Remote Administration Tool or RAT – both of which have the same capabilities that include stealing information from the compromised Android devices. The information consists of the victims’ contacts, SMS and phone history. Aside from that, this malware also has the ability to record phone calls of the victims.

A variant of the Android malware was detected to leverage an Android exploit known as “CVE-2015-3636” so it can obtain root access on the infected Android device as per the statement was given by the researchers on their detailed analysis. Moreover, the information gathered by both of these Android variants was sent via HTTP POST to what seems to be a unique command and control (C&C) server. As for its ability to record phone calls, it was implemented based on an open source project which is available on GitHub.

At the time of writing, researchers have yet to find out the attackers behind KevDroid but according to media coverage in South Korea, this Android malware might be connected to the North Korea state-sponsored group dubbed as “Group 123” which is a group behind cyber espionage campaigns.

The present list of the KevDroid malware’s capabilities includes the ability to record phone calls as well as audio data, steal web history and files, obtain root access, steal call logs, emails, SMS, collect the devices’ location every 10 seconds and harvest the list of applications installed in the devices.

Once KevDroid has done its pursuit in obtaining sensitive data in the affected devices, this could result in wide range of issues for the infected devices since these days, smartphones are nearly used in all kinds of activities and contain tons of sensitive and personally identifiable data and files like photographs, passwords, bank credentials and so on. For instance, a KevDroid Android infection could result in leakage of data which could lead to another bunch of issues for the affected users.

The result could also depend on a user’s status. For instance, if the user is a corporate one, it could result in the kidnapping of a loved one, or blackmailing them with the obtained images from their devices or with confidential information, harvesting of banking credentials, multi-factor token access or SMS MFA, access to privileged information that are sent or received via texts and emails. To prevent Android malware like KevDroid, you must avoid installing applications from unknown and thirds party sources as they most likely contain malware-laden apps. It would also help if you keep both your system and security apps updated at all times.