Lookout Security Intelligence Team Discovery of AzSpy

Key Facts

• New commercial Android spyware

• Can pull data about device location, storage, and phone number. It also has keylogging capabilities.

• Could be distributed via phishing or URL shorteners

‍

Background and Discovery Timeline

Researchers recently identified a small spyware family which appears to have been created by an Azerbaijani developer. While there are not many samples of this spyware to date, it appears to be part of a new commercial Android spy platform, known as FullSpy for Android, with a user login page to monitor infected devices. The malware pretends to be an application called “Google Services” with a replica Google icon, likely in an attempt to seem innocuous. However, the applications actually contain standard surveillanceware capabilities, and various commands give the actor control over the phone, allowing for exfiltration of sensitive data.

‍

Capabilities and Affected Parties

The spyware can access the phone’s hardware serial number, phone number, battery status, connection type, internal and external storage availability, network operator, GPS location, Android version, and whether the device is rooted. Additionally, it has keylogger functionalities for a hardcoded list of applications like Chrome, Firefox, and Yandex browser.

Aside from uncovering the login pages to manage infected devices, Lookout also discovered another part of the infrastructure that presents itself as a well-designed site to download a program advertised as “Smart Telegram for WordPress”. This site is potentially a watering hole in progress, because while the APK can be downloaded from the site, it is not found through easily clickable links, but rather by knowing the appropriate file path. This could indicate that further development is still needed, or the app is potentially distributed via deep phishing links or URL shorteners.