Windseeker – A Malicious App

A malicious app dubbed Windseeker has been detected by security experts at Lacoon Mobile Security that utilizes a rare injection in hooking techniques to spy on the users. It is one of those dangerous Android apps which have drawn the attention of experts at the Lacoon Mobile security and the main features of the app are its injection and techniques to spy on mobile users. The techniques are very rare in mobile ecosystem wherein Windseeker operated on rooted Android devices enables attackers to probe on popular instant messaging apps in China, WeChat and QQ.

Lacoon noticed Windseeker in third party app marketplace though an attacker would need physical access to the device to get installed and to register the app. In a recent interview with SC Magazine, Avi Bashan, CISO at Lacoon Mobile Security states that the app’s injection and hooking techniques are a focal point of the threat wherein the techniques has two sections.

The first being the injection that occur on the native file which uses ptrace procedure and is also used to inject a second file to target instant messaging app while in the second section, the injected native file loads a java file which enables to monitor the activity of the messaging app through the API hooking.

Threat – Cause for Worry

This discovery is a cause for worry and Bashan explains that these types of treat could be utilized in spying data of any kind of application. In his blog he has also mentioned about the threat that it was `important to understand that this type of threat could be implemented anywhere’. Bashan further states that `hooking over an API code would mean that each time the app calls to the API, instead of going directly to the system, the data is intercepted by the attacker and when it is on the device, it is called “hooking” and when it is over the network it is known as a man-in-the-middle attack which PC malware has been doing it for years. Bashan has also highlighted in his blog post that the hooking techniques does not seem to be a common attack method in the mobile field.

How Does the Windseeker Functions

Initially the Windseeker checks if the device is rooted since it is essential for the app to run and if rooted, it performs the following process:

• Creates a process monitoring thread which is used to identify if IM apps such as WeChat or QQ are active. 
• Request the user to register with its management server through SMS 
• It injects a malicious code which in fact is the hooking process that enables the Windseeker to spy on WeChat and QQ 
• It directs the monitored data back to the threat actor’s controlled server where the details from the IM chat could be viewed conveniently from a web interface.

The target gets the opportunity of viewing the Windseeker app that is installed but will be unaware of its capabilities of monitoring their instant messaging chats. According to Bashan, till now commercial mobile surveillance apps sought an app’s data through a file system or a memory dump and the hooking techniques indicates a new step in the evolution of threat in mobile resembling the way PC based malware evolved all through the years.

Steps to be taken for Protection - 

• Avoid rooting the device since it exposes the device to these kinds of threats. 
• Avoid installing application from unreliable application marketplaces or unknown sources. 
• Ensure to review your list of installed applications frequently to see if there is anything that is unfamiliar.