Skip to main content


Is Your Android Spying on You?

Is Your Android Spying on You?

Has your personal data been compromised? Well, if you’re an Android mobile phone user and have downloaded an application infected with the KevDroid malware, it very well may have been. KevDroid typically appears as an anti-virus protection application in the Google Play Store but is really a remote access trojan, also called a RAT.

There are two variants of this malicious software. The first is named KevDroid because the author tag reads “Kevin.” This malware has the capabilities of recording calls, detecting location every 10 seconds, collecting a list of installed applications, contact information, text messages, call logs, stored E-mails, and photos. The second variant of this software, named “PU,” is larger than the previous version of KevDroid and uses an SQLite Database to store data. Still, this variant utilizes the same features as the original malware but adds camera recording, audio recording, web history stealing, file stealing, and gaining root access on the device.

Technical Detail

Both variants run on code freely available on GitHub and can steal information and record calls; however, the second variant has the ability to gain root access to the mobile device. This technique ensures that the malware can run without any user interaction while remaining stealthy. Higher privileges from obtaining root access provide the attacker with the ability to perform more in-depth actions, such as stealing information from other applications on the compromised device. Root access is obtained through an ELF (executable and linkable file) within the APK (Android PacKage – installation files) that exploit the known Android flaw CVE-2015-3636.  Once the mobile device is compromised, all stolen data is then sent to a command and control (C2) server, which is used by attackers to maintain communications with compromised devices.

Business Implications

While everyone with an Android mobile device should be concerned, any organization that allows its employees to access company email or networks via mobile devices should be especially alert.  If an attacker gains access to an employee’s mobile device, the individual could access or steal all of your organization’s sensitive data. This data includes credentials, multi-factor token access, emails, text messages, photos, contact info, files, and phone conversations the employee has stored on the device, all of which could lead to potential breaches of confidential information.

The 10 Commandments of Securing your Android:

Android users should be concerned with KevDroid, along with any trojan-like app; however, you can drastically lower your chances of being compromised by the steps below. Android users are advised to:

  1. Lock your phone: Lock your front door concept. Protect your devices with a pin or password lock so that nobody can gain unauthorized access to your device.
  2. Ensure that you opt for Google Play Protect: Uses machine learning and app usage analysis to weed out the dangerous and malicious apps.
  3. Allow Android to scan and verify apps: Even with Google always screening apps, there is always a chance that one slips through. Add an additional layer of security by tapping Setting > Google > Security > Verify Apps then enable “Scan device for security threats.”
  4. Install anti-virus and security software from a well-known cybersecurity vendor: Examples include Lookout Mobile Security, Bitdefender, and Norton Security. Be sure you read the user reviews, looking for red flags, and perform your own research outside the app store of your choice before downloading any app.
  5. Encrypt your device: To encrypt any sensitive data on your phone tap Settings > Security > Encrypt Device and following the prompts.
  6. Never open documents or attachments that you are not expecting: Even if it looks like it's from someone you know. Stop and ask yourself “how do I know this is really legitimate?”
  7. Ensure the Unknown Sources setting is disabled & only use Google Play Store apps: Google does it’s best to ensure that apps on Google Play are free of malware, but Google (or any app store) is unable to protect you from apps downloaded from third-party app stores or websites.
  8. Regularly update & backup your phone: If you do not update your phone when updates are available, you are leaving yourself susceptible for an attack. Tap Settings > About Phone > System Updates to check for an update. In addition, backing up your devices is extremely affordable. Storage is cheap, and automated, online backup options are plenty (Google Drive, CrashPlan, Carbonite, etc.). If your phone is ever stolen or compromised, you will thank yourself later for backing it up.
  9. Turn on Chrome’s Safe Browsing feature: Malicious apps are not the only threat to your Android device. The web is contaminated with sites that may try to steal your personal data. This safe browsing mode will warn you of any malicious sites and give you a chance to back away before exposing your phone. Tap Settings > Privacy > then enable “Safe Browsing.”
  10. If you don’t use an app, uninstall it: Most Android apps, but not all, do a good job of updating their software. If you no longer use an application, it’s best to simply uninstall the app, rather than having it reside on your phone and not receive updates. The fewer programs you have on your phone, the fewer chances an attacker will have to invade it.


If you follow these steps and implement them not only on your Android device, but all your devices, you will reduce your risk from compromise and attack. There is no such thing as being 100% secure in today’s world, but there are always ways to reduce your risk. With the global cost of cybercrime now exceeding over $600 billion and hackers creating more innovative schemes than ever before, working to be even a little bit more secure than you were yesterday is as important as ever.

Written by: Daniel Sebit and Jon Waldman
SBS CyberSecurity

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, November 29, 2018
Categories: Blog