Android Stalkerware can Track Gmail, WhatsApp, Instagram, and Facebook User Activity

Android Devices

A newly discovered piece of Android stalkerware can be permanently mounted on the network partition and steals a file containing the hash sum for a screen unlock template or password to enable its operators to unlock smartphones.

The latest vulnerability is much more sophisticated than other stalkerware out there, which usually contains just the capability of sharing the victim’s current geolocation and only occasionally carries the power to capture SMS and call info, Kaspersky reports.

Referred to as MonitorMinor, stalkerware exploits communications apps to capture victim messages, like LINE, Gmail, Zalo, Instagram, Facebook, Kik, Hangouts, Viber, Hike News & Video, Skype, Snapchat, JusTalk, and BOTIM.

Given that Android sandboxes prohibit clear contact between them— this function is called DAC, or Discretionary Access Control — MonitorMinor allows root access to circumvent the protection mechanism and execute nefarious activities.

To order to achieve so, the stalkerware demands that the SuperUser-type software (SU utility) be enabled, either by ransomware or through the users themselves. Use the feature, MonitorMinor scales, rights to achieve complete access to the selected applications.

When the root credentials are accessed, the attacker may also retrieve the file/data/system/gesture .key, which includes the hash amount for the screen unlock pattern or password, which effectively helps MonitorMinor operators to activate the computer while it is close or when physical access is accessible.

“This is the first time we have registered such a function in all our experience of monitoring mobile platform threats,” Kaspersky says.

For continuity, the stalkerware uses gained root access to remount the device partition to read/write mode, copy to it, and reset the partition to read-only mode. This means that users can not quickly delete it using standard Iso software.

Also, if root access is not accessible, MonitorMinor can often participate in illegal practices by exploiting the Accessibility Services API to monitor events in targeted applications.

The stalkerware provides a keylogger feature introduced by the same API, which means that every form of a target on the system is submitted to cybercriminals. The clipboard is often tracked and transmitted to operators.

Using MonitorMinor, attackers may monitor the computer using SMS commands, display real-time footage from the device’s cameras, capture sound from the device’s microphone, display the Chrome browsing history and use data on other applications, and access the device’s internal storage, contact list, and machine log.

India is the most impacted, with 14.71 percent of illnesses, with Mexico (11.76 percent), Germany, Saudi Arabia, and the United Kingdom (approximately 5.88 percent each) rounding up the top five. Kaspersky did not disclose a precise amount of compromised devices with SecurityWeek.

Kaspersky’s security researchers found an Indian-named Gmail account in the MonitorMinor database, indicating that this could be their country of origin. However, control panels were also located in Turkish and English.

“MonitorMinor is superior to other stalkerware in many aspects. It implements all kinds of tracking features, some of which are unique, and is almost impossible to detect on the victim’s device. If the device has root access, its operator has even more options available. For example, they can retrospectively view what the victim has been doing on social networks,” the security firm concluded.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.