A recently discovered piece of Android stalkerware can install itself persistently on the system partition and steals the file containing the hash sum for the screen unlock pattern or password to allow its operators to unlock devices.
The new threat is far more advanced than other stalkerware out there, which typically only includes functionality to transmit the victim’s current geolocation and only sometimes also packs the ability to intercept SMS and call data, Kaspersky reveals.
Referred to as MonitorMinor, the stalkerware targets communication applications to intercept victims’ conversations, including LINE, Gmail, Zalo, Instagram, Facebook, Kik, Hangouts, Viber, Hike News & Content, Skype, Snapchat, JusTalk, and BOTIM.
Given that Android sandboxes applications to prevent direct communications between them — this feature is called DAC, or Discretionary Access Control — MonitorMinor requires root access to bypass the security system and perform nefarious activities.
For that, the stalkerware requires a SuperUser-type app (SU utility) to be installed, either through malware or by the users themselves. Using the utility, MonitorMinor escalates privileges to gain full access to the targeted apps.
Once it obtains root privileges, the threat can also extract the file /data/system/gesture.key, which contains the hash sum for the screen unlock pattern or the password, which basically allows MonitorMinor operators to unlock the device when nearby or when physical access is available.