Fake Voicemail App Built Through Xamarin Platform Spreads Spyware

Cyble Research Labs identified a malware sample during a routine threat-hunting exercise from MalwareBazaar posted by a Researcher. The app poses itself as a “Voicemail” app to deceive users into thinking that it is genuine. The application has various functionalities like Keylogging, screen recording, SMS, and call logs collection on performing the analysis.

The application was developed using an open-source platform called “Xamarin”. This open-sourced platform is used for building Android and iOS apps with .NET and C# codes. The source code is essentially compiled into CIL (IL) instructions, which are then saved in DLL-managed assemblies. These, together with app resources and other data, are then bundled into an APK package by the android package builder.

On analyzing the app further, it is observed that the malicious app is a forked version of an open-source project AndroSpy.

Figure 1 depicts the DLL files found from the application

Figure 1 DLL files from the APK file

The app also carries out Spyware operations, which are masked by Xamarin packaged source codes. The attackers’ purpose in using Xamarin is to hide the malicious code and extract sensitive data without being detected.

The apps of this variant are commonly disguised as messaging, camera, or utility apps, and they are designed to steal information such as:

  • SMS data
  • Contacts
  • Call logs
  • Device information
  • Location tracking
  • Images

Technical Analysis

Researchers at Cyble downloaded the malware samples and performed a detailed analysis, based on which we determined that the malware is a variant of spyware and uploads the victim data to a Command & Control (C2) server. 

APK Metadata Information:

Figure 2 represents the metadata information of the application. 

Figure 2 Metadata Information of the APK file
  • App Name: Voicemail.apk
  • Package Name: com.device.voicemail
  • SHA256 Hash:  6c454bda271d459ed3325ac77ef503972d170d099f53623c057d02d194a295de

Manifest Data:

The malware has and requests multiple dangerous permissions to collect contacts, SMSs, and the victim’s location. Table 1 shows this list of hazardous permissions.

INTERNET  Allows applications to open network sockets 
READ_PHONE_STATE  Read-only access to phone state 
READ_CONTACTS Access to phone contacts 
WRITE_CONTACTSAllows an application to write the user’s contacts data.
ACCESS_MOCK_LOCATIONAllows the app to override the location and/or status returned by other location sources such as GPS or location providers
PROCESS_OUTGOING_CALLSAllows an application to see the number being dialed during an outgoing call
ACCESS_COARSE_LOCATIONAllows an app to access approximate location
BLUETOOTHAllows applications to connect to paired Bluetooth devices.
BLUETOOTH_ADMINAllows applications to discover and pair Bluetooth devices.
ACCESS_FINE_LOCATIONAllows an app to access precise location
SEND_SMSAllows an application to send SMS messages.
WRITE_SMSAllows the app to write to SMS messages stored on your phone or SIM card
READ_SMSAllows an application to read SMS messages.
RECEIVE_SMSAllows an application to receive SMS messages.
WRITE_CALL_LOGAllows an application to write (but not read) the user’s call log data.
READ_CALL_LOGAllows an application to read the user’s call log.
WRITE_EXTERNAL_STORAGEAllows an application to read from external storage.
CHANGE_WIFI_STATEAllows applications to change Wi-Fi connectivity state.
CALL_PHONEAllows an application to initiate a phone call without going through the Dialler 
CAMERARequired to be able to access the camera device.
RECORD_AUDIOAllows an application to record audio.
Table 1 Permission used for malicious activity

Upon reviewing the application’s code, it has multiple entry points declared in the manifest file. “crc646c638bcfc2425995.MainActivity” is the main entry point of the app that loads initially.

Figure 3 Manifest Information of the APK file

In the main activity, the app calls the code from the ServicesDemo3 DLL file.

Figure 4 Loads the code from ServicesDemo3 DLL files

When looking at other classes like SMSBroadcastReceiver, SMSSTATUS, screenActivty, it invokes the code from the ServicesDemo3 DLL file.

Providing insight into the ServicesDemo3 DLL file, Figure 5 shows listed services and receivers.

Figure 5 Services and Receivers from ServicesDemo3 DLL file

Application on execution requests users with live streaming permission. Upon users’ access grant, the attacker could monitor the device screen without users’ knowledge.

Figure 6 Screensharing functionality on enabling one-time permission

ForegroundService collects all the sensitive information and performs malicious activities on the infected device. Following are the details observed during our analysis:

  • Malicious code checks for the Build version of the infected device
Figure 7 Build Version Check
  • Malicious code collects and monitors the details of the installed apps from the infected device
Figure 8 Collects the installed application details
  • Malicious code can disable the battery optimization feature, to always run in the background
Figure 9 Disable Battery optimization
  • Malicious code runs the shell commands, even though the device is not rooted
Figure 10 Executes the Shell Commands
  • The collected SMS data are stored as logs and send via sockets
Figure 11 Stores the SMS data and sends it to the C2 server via sockets
  • Similarly, the collected Contacts data are stored as logs and communicated to the C2 server via sockets
Figure 12 Contact logs communicate to C2 server via sockets
  • Furthermore, the application also reads/collects the call logs from the infected devices and communicates to the C2 server again via sockets
Figure 13 Call logs information sends to C2 server via sockets
  • Also, the application has code to collect the hardware information of the infected device
Figure 14 Hardware information of the infected device
  • Finally, the collected data and activities performed within ForegroundService are interconnected to Oncreate() function
Figure 15 Oncreate() used in ForegroundService

The ServicesDemo3 DLL also has SMSBroadcastReceiver, which is used for sending and receiving text messages also can send SMS to the number provided by the TA.

The threat actor also operates the malicious app through commands received from his inbuilt C2 server. The following figure depicts the C2 server identified from the application.

Figure 16 Attackers C2 server


Even though spyware has been around for a long time, it continues to constitute a severe threat since the Threat Actors behind it are constantly changing and employing various encryption techniques to prevent detection. This situation makes spyware eradication nearly impossible.

Based on our research, the malware writers are now producing increasingly sophisticated bits of software, which they embed into various packages designed for specific devices and platforms. As a result, users should be cautious when installing software.

Our Recommendations:

We recommend that our readers follow the best practices given below:   

  • Keep your anti-virus software updated to detect and remove malicious software.  
  • Uninstall the application if you find this malware on your device.  
  • Keep your system and applications updated to the latest versions.  
  • Use strong passwords and enable two-factor authentication.  
  • Download and install software only from trusted sites and official app stores.  
  • Verify the privileges and permissions requested by apps before granting them access.   

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Defense EvasionT1406Obfuscated Files or Information
Discovery/CollectionT1430Location Tracking
Collection/Credential AccessT1412Capture SMS Messages
CollectionT1433Access Call Log
CollectionT1429Capture Audio
CollectionT1507Network Information Discovery
Network EffectsT1449Exploit SS7 to Redirect Phone Calls/SMS
Command and ControlT1571Non-Standard Port
ImpactT1447Delete Device Data
ImpactT1448Carrier Billing Fraud

Indicators Of Compromise (IOCs) 

IndicatorsIndicator typeDescription
6c454bda271d459ed3325ac77ef503972d170d099f53623c057d02d194a295deSHA256Malicious APK
0pcnerd0-31594.portmap[.]hostURLCommunicating URL
193.161.193[.]99IPIP address of C2

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit

Scroll to Top