Connect with us

Hi, what are you looking for?


Mobile & Wireless

Exodus Android Spyware With Possible Links to Italian Government Analyzed

Android spyware known as Exodus has been found in more than 20 apps on Google Play Store. The malware is believed to have been developed by the Italian firm eSurv, which has commercial connections to the Italian government.

Android spyware known as Exodus has been found in more than 20 apps on Google Play Store. The malware is believed to have been developed by the Italian firm eSurv, which has commercial connections to the Italian government.

The apps have been removed from Google Play, and (at the time of writing) the eSurv website returns a 404 error. The LinkedIn and Twitter accounts referenced on this page no longer exist, and the YouTube account is empty.

An analysis by researchers at Security Without Borders describes powerful but faulty spyware disguised as apps distributed by Italian mobile operators. Security Without Borders believes “we can estimate the total number of infections to amount in the several hundreds, if not a thousand or more.”

There are two elements to the spyware, which are described as Exodus One and Exodus Two. The name comes from a C&C server: attiva.exodus.esurv[.]it. Motherboard also claims Exodus was the internal eSurv name for the malware.

Exodus One supposedly validates the target and acts as a dropper for Exodus Two. It gathers basic identifying information — such as the IMEI code and phone number — and returns it to the C&C. However, validation for targeting purposes does not appear to be enforced: the spyware on the researchers’ phone immediately downloaded its payload after initial check-in.

The activated payload is described as Exodus Two. The major components of the payload are mike.jar and several compiled utilities for different purposes — such as rootdaemon, which handles privilege escalation and data acquisition. 

The malware’s ability for data collection and exfiltration is extensive. This ranges from common details such as installed apps, browsing history, address book, Facebook contacts and GPS coordinates, to the ability to switch on and listen via the microphone and take photos with the camera. It can retrieve all SMS messages, extract messages and the encryption key from Telegram, dump data from Viber, extract logs and retrieve any media exchanged via WhatsApp, and extract logs, contacts and messages from Skype; and more.

Advertisement. Scroll to continue reading.

The extracted data is generally XORed and stored in a folder named .lost+found on the SD card, before being exfiltrated over a TLS connection to the Command & Control server,[.]com, through an upload queue.

While the spyware’s capabilities are extensive, its implementation is faulty. It seems designed as targeted spyware, but the targeting is either faulty or not used. Furthermore, some of the data acquisition routines require root privileges. To achieve this, mike.jar connects to rootdaemon through various TCP ports that the daemon binds on some extraction routines for supported applications. The routines run on all network interfaces, and consequently become accessible to anyone sharing a local network with an infected device.

If suspicions that Exodus is spyware developed under contract for use by Italian law enforcement agencies prove true, the Security Without Borders report could be the beginning of an Italian scandal. Motherboard spoke to an Italian police agent who has experience using spyware during investigations. He commented, “This, from the point of view of legal surveillance, is insane. Opening up security holes and leaving them available to anyone is crazy and senseless, even before being illegal.”

Most countries, including Italy, allow lawful interception by LEAs under certain circumstances. This generally excludes wide-scale monitoring — but Security Without Borders has demonstrated a lack of target validation within Exodus, meaning that any user installing the spyware could be monitored.

Furthermore, the Italian data processing regulator published a 2018 opinion on the regulations for interception, commenting, “the installation of the computer sensor on a portable electronic device must not, where possible, lower the security level of the same device in which it was installed, both during interception operations and at the end of the same.”

The Italian press is reporting that the regulator, Antonello Soro, is concerned. While stressing that little is yet known, he said, “It is a very serious fact on which there is great concern. We will do the necessary investigations as far as our competences are concerned, since the story still has very uncertain outlines and it is essential to clarify its exact dynamics.”

SecurityWeek has approached the Italian regulator for a comment on the spyware, and will append any response to this article.

But while the privacy issues are important, it should not be allowed to disguise a further worrying fact — this malware was not detected by Google’s filters and was made available on Google Play Store. Will LaSala, Director of Security Solutions and security evangelist at OneSpan, points out, “This underscores that relying on Google or Apple to detect malicious apps is not a safe idea. Customers should look to protect their own apps with app shielding rather than look towards the platform vendors for increased security. Platform vendors tend to error on the side of convenience rather than security. As such, app developers and companies deploying apps really need to take security into their own hands to ensure their users are protected.”

Related: Italian Siblings Arrested Over Long-running Cyber Espionage Campaign 

Related: Kaspersky Discovers Powerful Mobile Spyware 

Related: Surveillance Software Firm Hacking Team Suffers Data Breach 

Related: Growing Number of Governments Using FinFisher Spyware: Report 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.