Android Malware Nickispy.C snoops on Users

August 18, 2011

SonicWALL UTM Research team received reports of a new variant of AndroidOS malware Nickispy that can record phone calls, log call details, sms messages, gps locations, and copy contact informations and eventually sends them to remote server.

This malware was seen hosted in a chinese website riding on the popularity of recently released social networking service Google+ as evident on its use of installed application - "Google++".


Users are advised against installing third-party applications from unknown or untrusted sources and to be wary of request for suspicious permissions during installation.

Once the malware is downloaded and executed, it requests for the following permissions during installation:


Take note of unnecessary permissions requested by the malware such as able to intercept outgoing calls, edit SMS or MMS and record audio. These permissions should raise the user's suspicion that the application could be on to some phony activities.

Installed services include the following:


It also uses the following services:

  • CallLogService
  • CallRecordRegisterService
  • CallRecordService
  • CallsListenerService
  • ContactService
  • GpsService
  • KeyguardLockService
  • LocationService
  • ScreenService
  • SendResultService
  • SMSControllerService
  • SyncContactService
  • UploadService

Once installed, this malware performs the following:

  • Record Calls:
  • Record GPS Locations:


  • Logs SMS Messages:
  • It eventually uploads collected data to a remote server:
    • Remote Server: cs.{removed}
      Port: 2018

This malware is also known as Trojan-Spy.AndroidOS.Nickspy.g [Kaspersky], AndroidOS_NICKISPY.C [TrendMicro] and TrojanSpy:AndroidOS/Nickispy.B [Microsoft]

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: AndroidOS.Nickispy.C (Trojan)