Android Malware Nickispy.C snoops on Users (Aug 18, 2011)


SonicWALL UTM Research team received reports of a new variant of AndroidOS malware Nickispy that can record phone calls, log call details, sms messages, gps locations, and copy contact informations and eventually sends them to remote server.

This malware was seen hosted in a chinese website riding on the popularity of recently released social networking service Google+ as evident on its use of installed application – “Google++”.


Users are advised against installing third-party applications from unknown or untrusted sources and to be wary of request for suspicious permissions during installation.

Once the malware is downloaded and executed, it requests for the following permissions during installation:


Take note of unnecessary permissions requested by the malware such as able to intercept outgoing calls, edit SMS or MMS and record audio. These permissions should raise the user’s suspicion that the application could be on to some phony activities.

Installed services include the following:


It also uses the following services:

  • CallLogService
  • CallRecordRegisterService
  • CallRecordService
  • CallsListenerService
  • ContactService
  • GpsService
  • KeyguardLockService
  • LocationService
  • ScreenService
  • SendResultService
  • SMSControllerService
  • SyncContactService
  • UploadService

Once installed, this malware performs the following:

  • Record Calls:
  • Record GPS Locations:


  • Logs SMS Messages:
  • It eventually uploads collected data to a remote server:
    • Remote Server: cs.{removed}
      Port: 2018

This malware is also known as Trojan-Spy.AndroidOS.Nickspy.g [Kaspersky], AndroidOS_NICKISPY.C [TrendMicro] and TrojanSpy:AndroidOS/Nickispy.B [Microsoft]

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: AndroidOS.Nickispy.C (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.