Android malware with SMTP capabilities

September 6, 2013

The Dell SonicWall Threats Research Team received reports of an Android malware capable of sending Emails using the SMTP protocol. We have observed Android malware evolve using new tricks to infect its victims but this is the first one to sport the use of SMTP to send sensitive device and user information to the attackers.

Infection Cycle

Before installation the app requests for the following permissions:

  • bind_device_admin
  • change_network_state
  • receive_sms
  • process_outgoing_calls
  • read_sms
  • read_user_dictionary
  • write_sms
  • send_sms
  • internet
  • write_external_storage
  • wake_lock
  • record_audio
  • modify_audio_settings
  • vibrate
  • receive_boot_completed
  • write_settings
  • disable_keyguard
  • read_contacts
  • write_contacts
  • get_tasks
  • write_secure_settings
  • read_phone_state

Once installed the app appears as 'Google Service' on the phone. Clicking on it will prompt the user into allowing the app to be set as device administrator, this essentially means that the app will be able to alter the security policy of the device. Whenever any app requests permission to be set as device administrator, it is highly advised to verify the intentions of the app before granting this permission.

Upon clicking the app nothing happens on the screen and the app is no longer visible in the app drawer, but it continues to run in the background. The app collects information on the device and attempts to send it using SMTP.
The app has capabilities to steal and send the following information:

  • Contacts on the phone
  • SMSes on the device
  • Audio recordings of the calls on the device

We found interesting strings in a function named sendAll() that gathers collected data and formats it for sending via SMTP

The app collects this information and sends it to the attackers via SMTP. We found the following SMTP servers in the code:


During our analysis the sample tried to communicate with but we did not see any further activity.

The motive of this malware is to send sensitive user information to the attackers, we have seen such spy apps in the past but most of them relied on SMS or HTTP as a medium to send the stolen information but this is the first malware to use SMTP. This just highlights that malware writers are constantly evolving Android malware with new tricks.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: AndroidOS.Spy.SMTP (Trojan)