Community Manager
Staff member
Google has removed four Android applications from the Play Store after security researchers from Lookout found them infected with a spyware trojan that harvested information about the infected devices and their users.

Based on the profile of the four infected apps, it appears that someone was targeting businessmen or tourists, possibly traveling to or from Russia.

Three of the infected apps were news-related, from a developer named RSS News, Inc.. Two of these three apps showed news items related to Russia, while the third showed news on European topics.

The fourth and last app detected as infected with the spyware could be used to search for embassies around the world.

Overseer spyware C&C hosted on Amazon AWS
A technical analysis reveals that these apps contained a spyware trojan named Overseer, which communicates with a remote command and control (C&C) server located on Amazon AWS, running a Facebook Parse server.

All communications are encrypted via HTTPS, but researchers found traces of the malicious behavior in the app's source code.
The spyware, whenever it receives a specific command from its masters, would collect a trove of data about the device and send it back to the C&C server.

Spyware collects a boatload of data
Collected data includes details such as the device IMEI, IMSI, MCC, and MNC identifiers, but also the phone type, network operator, network operator name, device manufacturer, device ID, device model, version of Android, Android ID, SDK level and build user.

On top of these, Overseer would also collect the phone's contact list, a list of all users accounts on the infected device, currently installed apps, app permissions, which apps were sideloaded, if the device is rooted, base station ID, latitude, longitude, network ID, and location area code.

The data collection process is so thorough that the spyware collects even the number of times the user has contacted specific phone numbers.

Overseer is no doubt the work of a well-versed Android malware developer that has an interest in keeping an eye on what people read and where they travel aboard.

The lack of any commercialization attempts, such as click-fraud or adware installation, points the finger towards a group with political or economic cyber-espionage interests.