ShrewdCKSpy: Mobile Spyware With A Hidden Agenda

Would you rather have a paranoid spouse spying on your smartphone or a shadowy entity with unclear motives? Spyware apps frequently serve the former group (suspicious lovers), but Lookout recently caught ShrewdCKSpy, a spyware app that falls squarely into the latter category. ShrewdCKSpy is a Korean spyware family whose variants can secretly record victims’ SMS messages and phone calls and then exfiltrate them to remote third party servers and email accounts. What does the group or individual behind this app do with the stolen data? We speculate on this question further below, but what’s unambiguous is that ShrewdCKSpy is an extremely invasive app that goes to great lengths to avoid detection. Thankfully, the risk of infection is minimal: detection volumes are low and primarily restricted to South Korea. And, of course, Lookout protects all its users from this threat.

ShrewdCKSpy unpacked

Few people would willingly download spyware on their phone, so ShrewdCKSpy entices its victims by posing as a generic marketplace app. When first launched it automatically opens the Google Play page for a popular Korean app that changes depending on the variant. With the victim’s attention elsewhere, ShrewdCKSpy stealthily removes its icon from the homescreen and sets about its dirty work. It grabs information about the infected device, including its phone number and SIM operator, and ferrets this data to remote servers. At its core, ShrewdCKSpy can capture and transmit the contents of SMS messages and phone calls to a remote server via HTTP and one variant can also send stolen data to designated email addresses. Perhaps even more troubling, ShrewdCKSpy also has the ability to auto-accept phone calls. This means an attacker could dial a compromised device, auto-accept the call, and capture ambient conversations within the vicinity of the microphone, turning the device into a de facto bugging device. ShrewdCKSpy can also remotely change the domains behind its command and control servers via SMS commands, but it won’t allow itself to be caught that easily. It can delete potentially incriminating call logs and SMS messages on compromised devices, leaving victims none the wiser.

ShrewdCKSpy’s agenda

Lookout found no evidence that the authors directly profit from the sale or third party distribution of this app, which leaves us to speculate that ShrewdCKSpy may serve an ulterior motive. It’s possible ShrewdCKSpy supports broader ID theft, fraud, or spam initiatives via the widespread collection of victims’ personal information. How much more compelling, for example, would a phishing scheme be if it used personal details ripped directly from your private SMS messages? Like the app itself, the author(s) behind ShrewdCKSpy have taken care to conceal their identities. The domains behind the C&C servers resolve to generic public hosting providers located in various countries and the code contains scant indication as to the nationality or identity of the author(s). Lookout did find one potential smoking gun. Samples of ShrewdCKSpy share heuristics with a family of Korean trojans previously identified by Lookout that steal online banking credentials. These two malware families also share significant binary similarities (including common classes) that would suggest they may share the same authors. In short, ShrewdCKSpy is not your typical piece of jealous spouse spyware. It’s a nasty, invasive app that you definitely don’t want on your device.

How To Stay Safe

• Only install apps from trusted stores
• Download a mobile security app like Lookout’s app that protects against malware as a first line of defense.