Posted on August 30, 2018 at 3:08 PM
Kaspersky Labs’ researchers have reported yet another Android malware. The new discovery is actually a spyware, which is quite capable of stealing data from Android devices.
Introducing BusyGasper — the ultimate spyware for Android
A new spyware called BusyGasper was reported by researchers at Kaspersky Lab, and it would seem that this one is quite effective at what it does. The report claims that the malware is not that sophisticated, but it has over 100 unique features that are making it the ultimate spy tool. Some of the features include the ability to read and collect data from motion detectors, listening sensors, and even screen taps.
The malware was originally discovered earlier this year, but the researchers now believe that it has been active since mid-2016. The identity or the location of its creator are not known at this time, but the researchers managed to discover that its C&C server is tied to Russia. Additionally, the names of some of the spyware victims are also Russian, which further confirms this discovery.
One of Kaspersky Lab’s researchers, Alexey Firsh described the malware in a post by saying that it is not sophisticated, but it is rather unique and is implanted with some stand-out features. Some most important aspects of the spyware include the IRC protocol support, which is not that often for an Android malware. Additionally, the spyware can log into the email inbox of the attacker himself, parse their emails in a folder to which it was directed to, find commands, as well as save payloads to a device found from attachments contained within an email.
Finally, the researchers mentioned that the malware’s creators also managed to make a novel implementation of a keylogger. Basically, this means that the attacker managed to map the screens of infected devices and assign values to specific areas on the keyboard. This allows them to track even the movements on the phones’ screens, which poses even more anger for the infected devices’ users.
The spyware gets installed manually
One interesting detail that the researchers found is the fact that the infection sample that they managed to detect was extremely small, and it includes only 10 devices. Additionally, in order to infect the device, the attacker would need physical access. The report published by researchers claims that there is no evidence of common infection vectors, like spear-phishing, and alike.
However, there are some clues, like a hidden control menu, that indicate that the method of infecting the device is manual installation. The devices that were targeted by the attacker mostly include ASUS hardware that uses the Android system. Another significant deduction by the researchers is that the malware creator might be a novice in this field. This may explain why the communication is not encrypted, and why the attacker has been using a public server as a C&C.
After they opened up the spyware, the researchers found two modules. One of them is installed on the targeted phone, and the hacker then uses it for giving instructions to the spyware. The second one is the one that actually brings additional functionality, like the ability of remote command triggering. The spyware can also target different apps, like Viber, Facebook, WhatsApp, and more. Not only that, but it can even steal and dump messages from a specific period, as requested by the hacker.