As Mobile Malware evolves, how do you protect yourself from Mobile Spy Apps like Windseeker?


Recently, our research team spotted a new Chinese Android surveillance app that implements a new, unique injection technique. How is this significant? It clearly demonstrates the ongoing evolution of malware capabilities in mobile operating systems — adopting the same methods from the PC world.

This new mobile spying app, named “Windseeker,” runs on rooted Android devices and enables the threat actor to eavesdrop on popular Chinese Instant Messaging (IM) apps.

What’s the Threat?

Windseeker runs on rooted Android devices and enables the remote monitoring of two popular Instant Messaging (IM) apps, developed by Tencent (one of the largest Chinese Internet service portals):

  1. WeChat – A globally-used messaging apps boasting 100,000,000-500,000,000 downloads in the Google’s Play Store.
  2.  QQ – Mainly a Chinese-regional messaging app boasting ~800,000,000 users (a total of all mobile platforms, not just Android).

While this tool is intended for use in China due to the intended targets as Chinese instant messaging apps (WeChat and QQ) and monitored chats being in Chinese, it’s important to understand that this type of threat could be implemented anywhere.

How does Windseeker Work?
Windseeker initially checks if the device is rooted since rooting is necessary for the app to run. When the device is rooted, then Windseeker performs the following steps:

  1. Creates a process monitoring thread. This thread is used to identify when IM apps (like WeChat or QQ) are running.
  2.  Requests the user to register with its management server via SMS.
  3.  Injects malicious code which is the actual hooking process. The hooking process enables the Windseeker to spy on WeChat and QQ.
  4. Sends the monitored data back to the threat actor’s controlled server. The information from the IM chat can be conveniently viewed from a Web interface.

The target can see that the Windseeker app is installed, but they don’t know that it is monitoring their instant messaging chats.

What is New about Windseeker (aka “Give Me the Technical Details!”)?

Windseeker implements an innovative injection and hooking technique:

  1. Identifies an IM instance running
  2. Copies the below files that are bundled as assets to different locations on the device. These files perform the actual injection and hooking:
    a. inject_appso –> /system/bin/
    Used in order to inject the following libcall.so file to the IM client. The injector uses ptrace to allocate memory in the app for a small piece of native code that is then run to load the libcall.so shared library into the app.
    b. libcall.so –> /system/lib/
    Accesses the Java environment inside the targeted chat app. Accordingly, it loads the following conn.jar Java package.
    c. conn.jar –> /data/data/qy/
    Responsible for executing the hooking technique and for sending back the obtained IM information to the main Windseeker app. This file uses reflection in order to to replace the mCallback function in android.os.Handler, with its own predefined function. As a result, each time the mCallback function is called, conn.jar can monitor and manipulate the information. This new hook identifies when a chat activity is initiated in the IM app. Each message is then transferred via Android’s Intent to the Windseeker app. In turn, Windseeker sends the content back to server.

How  can a Mobile Device Become Infected with Windseeker?
Typically, a threat actor might infect a device using one of two methods:

  • Uploading the Windseeker app to a third-party Android marketplace. The attacker can hide it within an app that looks safe or just rely on victims to download an app they don’t recognise.
  • Gaining physical access to the device and manually installing the Windseeker app.

How can you protect yourself? What steps can you take? 
There are several things you can do to help protect yourself from these types of threats.

  1. Avoid rooting your device. Rooting exposes the device to exactly these types of threats
  2. Avoid installing applications from untrusted application marketplaces or other unknown sources
  3. Make a point to frequently review your list of installed applications to see if there is anything unfamiliar.

With the use of third party and gray market app stores, this can be a challenge for the enterprise as placing restrictions on this is hard to enforce. For organizations looking to reduce their risk not only in China but globally, having an advanced mobile threat detection solution in place can help with identifying these types of threats to reduce your risk and potential data loss.

What does the Future Hold in Terms of Mobile Surveillance Software?
This kind of hooking technique is not common in the mobile area. Up until now, commercial mobile surveillance apps usually obtained an app’s data through the file system or through a memory dump.

This hooking technique marks a new step in the evolution of malicious activity in mobile, which resembles the way PC-based malware has also evolved over the years. It’s only a matter of time until we see these adopted techniques become widespread and move into general mass-targeting mobile malware.

Thanks goes to fellow Senior Security Researcher Daniel Brodie for assisting in writing this blog.