Android Spyware Targeting Tanzania Premier League
The Zscaler ThreatLabZ team is always hunting for malware out in the wild. Recently, there have been endless cases where attackers were targeting mobile users with malware leveraging the COVID-19 pandemic.
Amidst all the COVID-related malware activities, we actually came across some Android malware samples that weren’t COVID-19 related. Instead, they were targeting the ongoing Tanzania Mainland Premier League football season. The Tanzania Mainland Premier League is the top-level professional football (or soccer, as it is most commonly known here in the United States) league in Tanzania, Africa.
Android Package
We came across some of the Android Packages (APKs) that were targeting two of the most famous football clubs in Africa, namely Simba SC and Yanga (Young Africans) SC.
We also found some legit apps on the Google Play store that are related to these clubs. As seen in Figure 2, the spyware portrays itself as the official app of the above-mentioned teams.
These apps are basically spyware, which includes the following capabilities:
- Read SMS messages
- Fetch contacts
- Record audio
- Calling functionality
- Access real-time location
- Read / Write external storage
- Steal photos
- Access the camera
These capabilities basically sum up perfectly developed spyware with full-fledged features to spy on anyone.
Upon further analysis, these APKs turned out to be developed using a popular surveillance tool named SpyMax. Its predecessor,
SpyNote was one of the most widely used spyware frameworks. In the past, there were instances where SpyNote was notoriously used to victimize Netflix users and a wide range of other Android users.
SpyMax seems to be a new favorite among attackers in the underground forums. We found some evidence where SpyMax has been developed in these underground forums with its main focus on the latest Android compatibility and antivirus evasion.
SpyMax samples are fully undetectable
many of the discussions are about trying to make SpyMax samples fully undetectable (FUD) from antivirus scans.
Though SpyMax is free in itself, some developers claim to have developed their own versions that are undetected by antivirus software and are selling the samples at rates ranging from $ 45 to $ 350 per month. The same user in Figure 3 posted about his or her costs as can be seen in Figure 4.
Getting back to the campaign,
we, unfortunately, could not track back to the command and control (C & C) server, as it was not active during our analysis.
But we were able to get hold of some more samples that were designed by the same attacker or group of attackers. (Hashes can be found in the IOC section at the end of this blog.)
One such sample developed by the attacker using SpyMax was a live streaming app that claimed to stream live football matches from the Tanzania Premier League.
The main purpose behind this is likely to reach a wide range of football fans and attack their devices. The icons of the app can be seen in Figure 5 (Live Stream is the first from the left).
Getting back to the campaign, we, unfortunately, could not track back to the command and control (C & C) server, as it was not active during our analysis.
But we were able to get hold of some more samples that were designed by the same attacker or group of attackers. (Hashes can be found in the IOC section at the end of this blog.)
One such sample developed by the attacker using SpyMax was a live streaming app that claimed to stream live football matches from the Tanzania Premier League.
The main purpose behind this is likely to reach a wide range of football fans and attack their devices. The icons of the app can be seen in Figure 5 (Live Stream is the first from the left).3
