Government of the Republic of Trinidad and Tobago

Advanced Android Spyware Remained Hidden for Two Years

Advanced Android Spyware Remained Hidden for Two Years

A newly detailed Android spyware that has an incredibly wide-ranging protocol has been active since May 2016, Kaspersky Lab warns.

Dubbed BusyGasper, the malware includes device sensors listeners (such as motion detectors), can exfiltrate data from messaging applications (WhatsApp, Viber, Facebook), includes keylogging capabilities, and supports 100 commands.

Featuring a multicomponent architecture, the malware can download payloads and updates from the command and control (C&C) server, an FTP server belonging to the free Russian web hosting service Ucoz.

The spyware also includes support for the IRC protocol and can “can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments,” Kaspersky’s security researchers reveal.

The malware is apparently being installed manually, likely through physical access to a compromised device. Thus, fewer than 10 victims have been identified to date, all of them located in Russia.

The attackers collected victims’ personal data, including messages from IM applications, and SMS banking messages, yet the actor doesn’t appear interested in stealing the victims’ money.

“We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor. At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware,” Kaspersky says.

An initial module installed on the targeted device can be controlled over the IRC protocol and allows operators to deploy additional components. The module apparently has root privileges, yet the researchers found no evidence of an exploit being used to obtain such rights.

The first module can start/stop IRC, manipulate IRC settings, exit, use root features, report when the screen is on, hide/unhide the implant icon, execute shell, send commands to the second module, download and copy component to the system path, and write specified message to log.

The second module writes a log of the command execution history to a file named “lock,” which can be exfiltrated to the C&C server. Log messages can also be sent via SMS to the attacker’s number.

“The malware has its own command syntax that represents a combination of characters while the “#” symbol is a delimiter,” Kaspersky explains.

Featuring all of the capabilities found in modern spyware, the threat can spy on all available device sensors and can log registered events, can enable GPS/network tracking, and can execute multiple initial commands if an incoming SMS contains a specific string.

BusyGasper’s kelogging capabilities have been implemented in an original manner, Kaspersky says. The malware creates a textView element hidden from the user, then adds onTouchListener to it, to process every user tap. The listener only processes coordinates, which it matches with hardcoded ones.

A hidden menu that provides control of implant features appears to have been created for manual operator control. The menu is activated if the operator calls the hardcoded number “9909” from the infected device.

A full list of commands supported by the malware shows that it can capture photos, record audio and video, execute specified shell commands, monitor and exfiltrate messages, update itself, and perform various backdoor commands.