Executives Focus of Android Spyware

Wednesday, November 9, 2016 @ 08:11 AM gHale


There is a new piece of spyware locked onto Android that is focusing on executives, researchers said.

The only catch is, the spyware needs a manual installation on devices, said researchers at security firm Skycure.

RELATED STORIES
Rowhammer Can Root into Android
Dirty COW Works on Android
Dirty COW Zero-Day Patched
Backdoor Hits WTP

Exaspy, as the researchers called the spyware, provides an attacker with access to the victim’s data.

The program ended up installed on an Android 6.0.1 device owned by a vice president at an unnamed company, Skycure researchers said in a blog post.

The malware required user interaction during installation, meaning the attacker needed physical access to the device to infect it, or extreme and effective social engineering, researchers said.

Because the malware requires such interaction to be installed, the real-world threat level is relatively low for those who take reasonable security precautions regarding their mobile devices.

When running for the first time, the malware requests admin rights, asks for a license number, hides itself, and then asks root access (it can download a root exploit from the command and control (C&C) server if needed). Next, the spyware installs itself as a system package.

Once a device suffered infection, the malicious app can end up used to access the victim’s chats and messages (SMS, MMS, Facebook Messenger, Google Hangouts, Skype, Gmail, native email client, Viber, WhatsApp, etc.), can record audio (during calls or on the background), can access the pictures library, can take screenshots, and can collect contact lists, calendars, browser history, call logs, and more.

If it has C&C connectivity, the malware can monitor and transmit local files, including photos and videos, and can execute shell commands. Moreover, it can spawn a reverse shell, which allows the app to elevate its privileges using exploits that are not included in the basic package, the researchers said.

On the infected device, the app runs under the name of Google Services, using the package name “com.android.protect,” clearly masquerading the legitimate Google Play Services, the researchers said. The spyware communicates with the hxxps://api.andr0idservices.com server, (hosted in Google Cloud) and downloads updates from the hard-coded URL hxxp://www.exaspy.com/a.apk.

In addition to hiding itself from the launcher on the infected devices (by disabling its main activity component), the app disables Samsung’s SPCM service and com.samsung.android.smcore package, which allows it to run in the background.

Skycure researchers said mobile spyware targeting high-profile individuals is becoming more popular.



Leave a Reply

You must be logged in to post a comment.