Security Experts:

Exodus Android Spyware With Possible Links to Italian Government Analyzed

Android spyware known as Exodus has been found in more than 20 apps on Google Play Store. The malware is believed to have been developed by the Italian firm eSurv, which has commercial connections to the Italian government.

The apps have been removed from Google Play, and (at the time of writing) the eSurv website returns a 404 error. The LinkedIn and Twitter accounts referenced on this page no longer exist, and the YouTube account is empty.

An analysis by researchers at Security Without Borders describes powerful but faulty spyware disguised as apps distributed by Italian mobile operators. Security Without Borders believes "we can estimate the total number of infections to amount in the several hundreds, if not a thousand or more."

There are two elements to the spyware, which are described as Exodus One and Exodus Two. The name comes from a C&C server: attiva.exodus.esurv[.]it. Motherboard also claims Exodus was the internal eSurv name for the malware.

Exodus One supposedly validates the target and acts as a dropper for Exodus Two. It gathers basic identifying information -- such as the IMEI code and phone number -- and returns it to the C&C. However, validation for targeting purposes does not appear to be enforced: the spyware on the researchers' phone immediately downloaded its payload after initial check-in.

The activated payload is described as Exodus Two. The major components of the payload are mike.jar and several compiled utilities for different purposes -- such as rootdaemon, which handles privilege escalation and data acquisition. 

The malware's ability for data collection and exfiltration is extensive. This ranges from common details such as installed apps, browsing history, address book, Facebook contacts and GPS coordinates, to the ability to switch on and listen via the microphone and take photos with the camera. It can retrieve all SMS messages, extract messages and the encryption key from Telegram, dump data from Viber, extract logs and retrieve any media exchanged via WhatsApp, and extract logs, contacts and messages from Skype; and more.

The extracted data is generally XORed and stored in a folder named .lost+found on the SD card, before being exfiltrated over a TLS connection to the Command & Control server, ws.my-local-weather[.]com, through an upload queue.

While the spyware's capabilities are extensive, its implementation is faulty. It seems designed as targeted spyware, but the targeting is either faulty or not used. Furthermore, some of the data acquisition routines require root privileges. To achieve this, mike.jar connects to rootdaemon through various TCP ports that the daemon binds on some extraction routines for supported applications. The routines run on all network interfaces, and consequently become accessible to anyone sharing a local network with an infected device.

If suspicions that Exodus is spyware developed under contract for use by Italian law enforcement agencies prove true, the Security Without Borders report could be the beginning of an Italian scandal. Motherboard spoke to an Italian police agent who has experience using spyware during investigations. He commented, "This, from the point of view of legal surveillance, is insane. Opening up security holes and leaving them available to anyone is crazy and senseless, even before being illegal."

Most countries, including Italy, allow lawful interception by LEAs under certain circumstances. This generally excludes wide-scale monitoring -- but Security Without Borders has demonstrated a lack of target validation within Exodus, meaning that any user installing the spyware could be monitored.

Furthermore, the Italian data processing regulator published a 2018 opinion on the regulations for interception, commenting, "the installation of the computer sensor on a portable electronic device must not, where possible, lower the security level of the same device in which it was installed, both during interception operations and at the end of the same."

The Italian press is reporting that the regulator, Antonello Soro, is concerned. While stressing that little is yet known, he said, "It is a very serious fact on which there is great concern. We will do the necessary investigations as far as our competences are concerned, since the story still has very uncertain outlines and it is essential to clarify its exact dynamics."

SecurityWeek has approached the Italian regulator for a comment on the spyware, and will append any response to this article.

But while the privacy issues are important, it should not be allowed to disguise a further worrying fact -- this malware was not detected by Google's filters and was made available on Google Play Store. Will LaSala, Director of Security Solutions and security evangelist at OneSpan, points out, "This underscores that relying on Google or Apple to detect malicious apps is not a safe idea. Customers should look to protect their own apps with app shielding rather than look towards the platform vendors for increased security. Platform vendors tend to error on the side of convenience rather than security. As such, app developers and companies deploying apps really need to take security into their own hands to ensure their users are protected."

Related: Italian Siblings Arrested Over Long-running Cyber Espionage Campaign 

Related: Kaspersky Discovers Powerful Mobile Spyware 

Related: Surveillance Software Firm Hacking Team Suffers Data Breach 

Related: Growing Number of Governments Using FinFisher Spyware: Report 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.