Threat Descriptions

Trojan:Android/Nickispy.A

Classification

Category :

Malware

Type :

Trojan

Platform :

Android

Aliases :

Trojan:Android/Nickispy.A, Nickispy.A, Nickispy.C

Summary

Trojan:Android/Nickispy.A records activities activities on an infected device and forwards information to an external server without the user's knowledge or consent.

Removal

Once the scan is complete, the F-Secure security product will ask if you want to uninstall the file, move it to the quarantine or keep it installed on your device.

Trojan:Android/Nickispy.A can be uninstalled by following the steps below:

  • Go to Settings
  • Go to Applications
  • Go to Manage Applications
  • Select the application
  • Press "Clear data"
  • Press "Uninstall"
  • Select "OK" when asked for confirmation and wait

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Installation

Prior to installation, Trojan:Android/Nickispy.A displays the following permission requests:

Screenshots 1 and 2: Permissions requested by Trojan:Android/Nickispy.A

Activity

Trojan:Android/Nickispy.A is activated upon start up of the mobile device. The trojan then starts one or more of the following services in the background:

  • GpsService
  • MainService
  • SocketService
  • XM_SmsListener
  • XM_CallListener
  • XM_CallRecordService

Screenshots 3 and 4: Services started by Trojan:Android/Nickispy.A

These services are able to monitor the following activities on the device:

  • Phone calls
  • SMS messages
  • GPS location information

The recorded information is saved to two folders the trojan creates on the phones SD card (if available); it is also forwarded to the following remote locations:

  • jin.[...].com
  • ann.[...].com

The trojan may also send an SMS message containing the phone's International Mobile Equipment Identity (IMEI) number to the following number:

  • 15859268161
  • Trojan:Android/Nickispy.C