Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Spyware Targets Executives

A newly discovered Android spyware believed to be targeting high-level executives, but requires manual installation on devices, according to security firm Skycure.

A newly discovered Android spyware believed to be targeting high-level executives, but requires manual installation on devices, according to security firm Skycure.

The malicious application was identified as a commercial spyware called Exaspy, which provides an attacker with access to a lot of the victim’s data. The program, Skycure researchers reveal, was installed on an Android 6.0.1 device owned by a Vice President at an unamed company.

The most interesting part of the finding, the security researchers say, was that the malware required user interaction during installation, meaning that the attacker needed physical access to the device to infect it, or extreme and effective social engineering.

Because the malware requires such interaction to be installed, the real-world threat level is relatively low for those who take reasonable security precautions regarding their mobile devices.

When running for the first time, the malware requests admin rights, asks for a license number, hides itself, and then asks root access (it can download a root exploit from the command and control (C&C) server if needed). Next, the spyware installs itself as a system package.

Once a device has been infected, the malicious app can be used to access the victim’s chats and messages (SMS, MMS, Facebook Messenger, Google Hangouts, Skype, Gmail, native email client, Viber, WhatsApp, etc.), can record audio (during calls or on the background), can access the pictures library, can take screenshots, and can collect contact lists, calendars, browser history, call logs, and more.

If it has C&C connectivity, the malware can monitor and transmit local files, including photos and videos, and can execute shell commands. Moreover, it can spawn a reverse shell, which allows the app to elevate its privileges using exploits that are not included in the basic package, the researchers explain.

Advertisement. Scroll to continue reading.

On the infected device, the app runs under the name of Google Services, using the package name “com.android.protect,” clearly masquerading the legitimate Google Play Services, the researchers note. The spyware communicates with the hxxps://api.andr0idservices.com server, (which is hosted in Google Cloud) and downloads updates from the hard-coded URL hxxp://www.exaspy.com/a.apk.

In addition to hiding itself from the launcher on the infected devices (by disabling its main activity component), the app disables Samsung’s SPCM service and com.samsung.android.smcore package, which allows it to run in the background without Samsung’s service killing it. As mentioned above, it also installs itself as a system package to prevent removal by the user.

Not only does this spyware pose a significant risk to end users, but it can become an even greater risk to enterprises. It can be used to collect confidential company information such as financial, intellectual property, and product information; can stealthily record confidential meetings; can be used to blackmail a company into paying large sums of money to prevent leaking the information obtained.

Skycure points out that mobile spyware targeting high-profile individuals are becoming more popular lately, with the Pegasus software that targets the iOS Trident vulnerabilities being the most notable recent example. The researchers also note that detection often fails because creating a signature for the malware might take a long time, on the one hand, and because malware can often avoid sandboxes or can hide malicious code when detecting one, on the other.

“Mobile attacks used to require a special level of skill which made them more rare, but in today’s market it is easy for anyone to pay their way to being a threat. The Exaspy malware is just one of those packages that IT professionals need to defend against.” Skycure’s Elisha Eshed notes.

Related: Android Spyware Snoops on Government, Military Security Job Seekers

Related: Europe Cracks Down on Export of Surveillance Technologies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.