Connect with us

Hi, what are you looking for?


Mobile & Wireless

Advanced Android Spyware Remained Hidden for Two Years

A newly detailed Android spyware that has an incredibly wide-ranging protocol has been active since May 2016, Kaspersky Lab warns.

A newly detailed Android spyware that has an incredibly wide-ranging protocol has been active since May 2016, Kaspersky Lab warns.

Dubbed BusyGasper, the malware includes device sensors listeners (such as motion detectors), can exfiltrate data from messaging applications (WhatsApp, Viber, Facebook), includes keylogging capabilities, and supports 100 commands.

Featuring a multicomponent architecture, the malware can download payloads and updates from the command and control (C&C) server, an FTP server belonging to the free Russian web hosting service Ucoz.

The spyware also includes support for the IRC protocol and can “can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments,” Kaspersky’s security researchers reveal.

The malware is apparently being installed manually, likely through physical access to a compromised device. Thus, fewer than 10 victims have been identified to date, all of them located in Russia.

The attackers collected victims’ personal data, including messages from IM applications, and SMS banking messages, yet the actor doesn’t appear interested in stealing the victims’ money.

“We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor. At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware,” Kaspersky says.

Advertisement. Scroll to continue reading.

An initial module installed on the targeted device can be controlled over the IRC protocol and allows operators to deploy additional components. The module apparently has root privileges, yet the researchers found no evidence of an exploit being used to obtain such rights.

The first module can start/stop IRC, manipulate IRC settings, exit, use root features, report when the screen is on, hide/unhide the implant icon, execute shell, send commands to the second module, download and copy component to the system path, and write specified message to log.

The second module writes a log of the command execution history to a file named “lock,” which can be exfiltrated to the C&C server. Log messages can also be sent via SMS to the attacker’s number.

“The malware has its own command syntax that represents a combination of characters while the “#” symbol is a delimiter,” Kaspersky explains.

Featuring all of the capabilities found in modern spyware, the threat can spy on all available device sensors and can log registered events, can enable GPS/network tracking, and can execute multiple initial commands if an incoming SMS contains a specific string.

BusyGasper’s kelogging capabilities have been implemented in an original manner, Kaspersky says. The malware creates a textView element hidden from the user, then adds onTouchListener to it, to process every user tap. The listener only processes coordinates, which it matches with hardcoded ones.

A hidden menu that provides control of implant features appears to have been created for manual operator control. The menu is activated if the operator calls the hardcoded number “9909” from the infected device.

A full list of commands supported by the malware shows that it can capture photos, record audio and video, execute specified shell commands, monitor and exfiltrate messages, update itself, and perform various backdoor commands.

Related: New Spyware Framework for Android Discovered

Related: Researchers Link New Android Backdoor to North Korean Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.