Security Alert: New Android Malware—DDSpy—Fake Gmail Steals Your Privacy

NQ Mobile’s Security Research Center recently uncovered new Android malware—DDSpy—which disguises itself as Gmail and runs silently in the background, stealing your personal data. If you’re infected with this malicious application, you won’t see an icon for it. Instead, it will hide in your app list and wait for instructions from a remote server, which will send commands via SMS.

When DDSpy receives a command, it will configure the uploading email address and determine what content to steal. Our research shows that it’s capable of uploading the user’s SMS, call log, and vocal records. In addition, it reserves a GPS-uploading interface for future development. Because of this strange activity, we are concerned that it will evolve into more malicious spyware.


How it works

When DDSpy is installed, it waits for a remote server (controlled by the malware author) to send these messages: “BOOT_COMPLETED”, “SMS_RECEIVED” and “PHONE_STATE.” Once these messages are received, it starts stealing and uploading your personal information.

1.     Email Configuration

There’s a default email address coded in DDSpy, which can also be configured by SMS command. The command includes the following: command flag, receiving email address, sending email address, and password and uploading time.

2.     Call Recording

DDSpy starts recording on two occasions, when it detects outbound calls, and when it’s configured by SMS. The SMS command defines when the recording starts and stops, and sets recording time. Both of the above occasions can start the recording service in the background. The service starts recording and stores the rec file in SDCard/DCIM/.thumbnails/ directory.


3.     Information Preparation

Once it calls out and receives SMS messages, DDSpy adds a row into the database it maintains. Because DDSpy is installed into the Android device without your knowledge, you won’t see any signs that you’ve been bugged. However, every call you make and every SMS message you send will be recorded in the database to be uploaded in the configured email.

4.     Uploading

The uploading process is also configurable. A default uploading mode is coded in the application. At a certain time each day, DDSpy sends the information it has collected to an email address in a proper format. The sent email contains the SMS records, call log, and vocal records of the call.

5.     Further Study

Some personal information is related to financial business, such as your online bank account number. If this important and confidential information is leaked, your data could be at risk of theft. During our analysis, we found some unused interfaces that used GPS technology. For this reason, we expect this malware to evolve and we will keep an eye on this trend.


Protect Yourself from DDSpy

NQ Mobile Security users are already fully protected from DDSpy and all other malware threats.  If you don’t have a powerful mobile security application on your phone, we recommend that you take the following precautions to prevent any damage from DDSpy (and other threats):

  • Only download applications from trusted sources, reputable application stores, and markets. Be sure to check reviews, ratings, and developer information before you download anything.
  • Never accept application requests from unknown sources, and closely monitor permissions requested by any application. An application shouldn’t request permission to do more than what it says it will do in its privacy policy.
  • Look out for unusual behavior on your smartphone, such as your device shutting down unexpectedly or displaying constant pop-up messages.