A newly discovered Android spyware believed to be targeting high-level executives, but requires manual installation on devices, according to security firm Skycure.
The malicious application was identified as a commercial spyware called Exaspy, which provides an attacker with access to a lot of the victim’s data. The program, Skycure researchers reveal, was installed on an Android 6.0.1 device owned by a Vice President at an unamed company.
The most interesting part of the finding, the security researchers say, was that the malware required user interaction during installation, meaning that the attacker needed physical access to the device to infect it, or extreme and effective social engineering.
Because the malware requires such interaction to be installed, the real-world threat level is relatively low for those who take reasonable security precautions regarding their mobile devices.
When running for the first time, the malware requests admin rights, asks for a license number, hides itself, and then asks root access (it can download a root exploit from the command and control (C&C) server if needed). Next, the spyware installs itself as a system package.
Once a device has been infected, the malicious app can be used to access the victim’s chats and messages (SMS, MMS, Facebook Messenger, Google Hangouts, Skype, Gmail, native email client, Viber, WhatsApp, etc.), can record audio (during calls or on the background), can access the pictures library, can take screenshots, and can collect contact lists, calendars, browser history, call logs, and more.
If it has C&C connectivity, the malware can monitor and transmit local files, including photos and videos, and can execute shell commands. Moreover, it can spawn a reverse shell, which allows the app to elevate its privileges using exploits that are not included in the basic package, the researchers explain.
On the infected device, the app runs under the name of Google Services, using the package name “com.android.protect,” clearly masquerading the legitimate Google Play Services, the researchers note. The spyware communicates with the hxxps://api.andr0idservices.com server, (which is hosted in Google Cloud) and downloads updates from the hard-coded URL hxxp://www.exaspy.com/a.apk.
In addition to hiding itself from the launcher on the infected devices (by disabling its main activity component), the app disables Samsung’s SPCM service and com.samsung.android.smcore package, which allows it to run in the background without Samsung’s service killing it. As mentioned above, it also installs itself as a system package to prevent removal by the user.
Not only does this spyware pose a significant risk to end users, but it can become an even greater risk to enterprises. It can be used to collect confidential company information such as financial, intellectual property, and product information; can stealthily record confidential meetings; can be used to blackmail a company into paying large sums of money to prevent leaking the information obtained.
Skycure points out that mobile spyware targeting high-profile individuals are becoming more popular lately, with the Pegasus software that targets the iOS Trident vulnerabilities being the most notable recent example. The researchers also note that detection often fails because creating a signature for the malware might take a long time, on the one hand, and because malware can often avoid sandboxes or can hide malicious code when detecting one, on the other.
“Mobile attacks used to require a special level of skill which made them more rare, but in today’s market it is easy for anyone to pay their way to being a threat. The Exaspy malware is just one of those packages that IT professionals need to defend against.” Skycure’s Elisha Eshed notes.
Related: Android Spyware Snoops on Government, Military Security Job Seekers
Related: Europe Cracks Down on Export of Surveillance Technologies