Live Global Events: Secure, Simplify, and Transform Your Business.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Spyware presence in enterprise networks

April 05, 2018 - 5 min read

There are apps for everything, including spying. Users often download such apps for little to no cost and for innocent reasons, such as monitoring their children’s activity on mobile devices. However, what happens when the app is malicious and instead spies on the original user and the environments that user is in? In the BYOD enterprise environment, this can spell trouble for corporate networks.

During the course of daily malicious app tracking activity, the Zscaler ThreatlabZ team came across multiple commercial Android spyware programs. These malicious apps were proactively flagged by Zscaler cloud sandbox as seen below:

Fig 1: Zscaler Sandbox


Technical Details:

Name : NeoSpy
Package : nam.atapp.module
MD5 : 8e7fa22f043ec664cf482b7b7092b3d9

Upon installation, the spyware displays its icon, named NeoSpy Mobile, which, upon clicking, asks the user to register or login.

Fig 2: App Installation & Registration


For a new registration, it asks for login name, login email, and password. These details were being sent to the server in plain text over HTTP, as can be seen in the screenshot below. Anyone sniffing the network can get these details, which opens another attack vector—but that's a completely different story. 

Fig 3: Registration Request

Once registration is successful, the spyware asks for features to be enabled/disabled on the victim's device. Features include:

  • Intercepting SMS
  • Intercepting calls
  • Enabling keylogger (To steal anything typed by victim, especially passwords) 
  • Stealing GPS coordinates of victim
  • Online status of victim
  • Stealing photos
  • Frequency for sending GPS coordinates (5 minutes/1 hour/never)
Fig 4: Enabling spying features

As soon as basic setup is done, the app icon is immediately hidden from the mobile device. Soon after, the server responds with the location where victim's data will be sent. The screenshot below shows the request/response: 

Fig 5: Server response with destination IP

As soon as the destination address is received, NeoSpy starts its services and continuously hunts for incoming SMS messages and phone calls, and sends them over to the IP address specified by NeoSpy server. Over the course of the spyware life cycle, the victim remains totally unaware. The screenshot below shows stolen data being sent.

Fig 6: Stolen data sent to attacker

On the other side, the attacker simply needs to log in to the NeoSpy dashboard, which displays the number of devices infected, as shown in the below screenshot:

Fig 7: Attacker's dashboard

We ran the spyware in a controlled environment where the virtual Android device was made to receive an SMS message and call. The spyware successfully intercepted the data and relayed it to the server. Both the details along with location of the device are visible on the dashboard, as shown in the above screenshot. 

During our analysis, we also found a variant of this spyware available on Google Play Store with installs between 10,000 and 50,000. Zscaler ThreatlabZ contacted Google’s android security team and the app was promptly removed from the Google Play Store. Such spyware uses false/misleading advertising tactics to lure Google Play Store users. SMS spyware programs portray themselves as parental control apps, and location stealers portray themselves as phone tracking devices. In this case, NeoSpy portrayed itself as an anti-theft app with a description as follows: 

"This is an effective phone monitoring module that allows you to find a lost phone or tablet using the geographical coordinates sent to your account. Also you will be able to monitor your child, check where he is, and with whom he communicates, protect him from unwanted acquaintances. All data sent to your personal account is securely protected (AES-128 encryption)."

The screenshot below shows this spyware app on Google Play Store before it was removed:


Fig 8: NeoSpy on Google Play Store


The use of Android spyware apps has become fairly common, but with corporate BYOD (Bring-Your-Own-Device) policies, their use can become devastating as employees bring devices loaded with the spyware and connect them to the company's network. It's possible that an infected device on a corporate network could leak sensitive information to an attacker. Or, imagine the presence of a spyware app on a government and defense personnel’s mobile device that could then leak not only private call details, but also locations and photos that may contain highly sensitive information. 

In most cases, an attacker needs physical access to the device to set up such spyware properly. It is therefore advisable to deploy password-protected measures like pattern lock or pin lock on mobile devices. 

While further examining the Zscaler cloud, we found an increased presence of spyware in enterprise networks over the past two months (see details in Appendix A). Zscaler identified this threat as Android.Gen.Spyware.

Appendix A

     App Name                              MD5      Spyware Variant
MobileTracker App53ec451d2746f35ea2183fed71b792d4Mobile-Tracker-Free (MTF)
MobileTracker App875ea463d7f40709f53b5eb9fbdb231fMobile-Tracker-Free (MTF)
MobileTracker Appfbd72f310c9efcdf48e7d69c02ac0219Mobile-Tracker-Free (MTF)
MobileTracker Appefb56ceea844ddffc97b3c5ba973f39fMobile-Tracker-Free (MTF)
MobileTracker App19fd7f77c8431df87593ce9468a90c7eMobile-Tracker-Free (MTF)
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.