Original Issue Date:- January 07, 2019
Virus Type:- Spyware
Severity:- Medium

There have been reports that a new android spyware malware (named as ANDROIDOS_MOBSTSPY) is spreading. The spyware spread through legitimate android application via different android applications name like game, flashlight, window emulator etc.

  • Once this malicious application reach on victim device, it checks network connection and tries to build the connection with its Command and control server (C2) controlled by the attacker.After building a connection, it registers the victim device information like registered country, package name, device manufacturer etc. on C2.
  • Based upon the above information, C2 sends commands to victim device for gathering victim information like getting user location, SMS conversations, call logs, clipboard items, steal files and upload files etc. and send it to C2 Controlled by the attacker which attacker used at a later stage for performing malicious activity.
  • For information stealing, the attacker also used the spyware phishing capabilities through which they display the fake Facebook or Google pop-ups to push the victim to enter their credentials.

Indicators of Compromise:

Command and Control Servers

  • hxxp://www[.]mobistartapp[.]com
  • hxxp://www[.]coderoute[.]ma
  • hxxp://www[.]hizaxytv[.]com
  • hxxp://www[.]seepano[.]com

Malicious Package Hash and name

  • 12fe6df56969070fd286b3a8e23418749b94ef47ea63ec420bdff29253a950a3 ma[.]coderoute[.]hzpermispro
  • 72252bd4ecfbd9d701a92a71ff663776f685332a488b41be75b3329b19de66bacom[.]tassaly[.]flappybird
  • 4593635ba742e49a64293338a383f482f0f1925871157b5c4b1222e79909e838com[.]mobistartapp[.]windows7launcher
  • 38d70644a2789fc16ca06c4c05c3e1959cb4bc3b068ae966870a599d574c9b24com[.]mobistartapp[.]win7imulator
  • 0c477d3013ea8301145b38acd1c59969de50b7e2e7fc7c4d37fe0abc3d32d617com[.]mobistartapp[.]flashlight
  • a645a3f886708e00d48aca7ca6747778c98f81765324322f858fc26271026945 com[.]tassaly[.]flappybirrdog

Even though the malicious applications have been removed from the Play Store, there could be more such applications lurking around. It is advisable to stay alert and follow these recommendations.


  • Users if found any above-mentioned package, android app in their phone should immediately uninstall it from their device. Through setting>applications. Users can also use the factory reset option to move their device in base configuration.
  • Even though the malware is being spread through the Google Play Store itself, it is advisable to stick to verified application stores as they are much safer than untrusted sources.
  • Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from reputed application market only.
  • Install and maintain updated antivirus solution on android devices. Scan the suspected device with antivirus solutions to detect and clean infections.
  • Prior to downloading / installing apps on android devices (even from Google Play Store),Always review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
  • Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
  • In settings, do not enable installation of apps from "Untrusted Sources".
  • Exercise caution while visiting trusted/untrusted sites for clicking links.
  • Install and maintain updated antivirus solution on android devices. Scan the suspected device with antivirus solutions to detect and clean infections.
  • Install Android updates and patches as and when available from Android device vendors.
  • Users are advised to use device encryption or encrypting external SD card feature available with most of the android OS.
  • Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
  • Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.