The BusyGasper Android spyware has been active since May 2016, it implements unusual features for this type of malware. Experts explained it is a unique spy implant with stand-out features such as device sensors listeners. BusyGasper can spy on all device sensors and enable GPS/network tracking, and it can run multiple initial commands if an incoming SMS contains a specific string.
The malware has an incredibly wide-ranging protocol, it is able to support about 100 commands and to bypass the Doze battery saver.
BusyGasper can exfiltrate data from several messaging applications, including WhatsApp, Viber, Facebook, and implements keylogging capabilities.
“Further investigation showed that the malware, which we named BusyGasper, is not all that sophisticated, but demonstrates some unusual features for this type of threat.” reads the report published by Kaspersky.
“The sample has a multicomponent structure and can download a payload or updates from its C&C server, which happens to be an FTP server belonging to the free Russian web hosting service Ucoz.”
According to the researchers, the malware is installed manually through physical access to the target devices, Kaspersky has identified less than 10 victims to date, all of them located in Russia.
The Android malware also supports the IRC protocol that is very uncommon for Android malware.
The malicious code can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments.
The analysis of the malware revealed the attackers used the malware to gather victims’ personal data, including messages from IM applications and SMS banking messages.
“We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor.” continues Kaspersky.
“At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware”
The first module installed on the targeted device can be controlled over the IRC protocol and allows attackers to deploy additional components. The module seems to have root privileges, but malware researchers did not find evidence of the user of an exploit.
The module supports a wide range of commands including start/stop IRC, manage IRC settings, exit, use root features, report when the screen is on, hide/unhide the implant icon, execute shell, send commands to the second module, download and copy component to the system path, and write specified message to log.
The second module writes a log of the command execution history to a file named “lock,” which is later uploaded on the C&C server. Log messages can also be sent via SMS to the attacker’s number.
“Log files can be uploaded to the FTP server and sent to the attacker’s email inbox. It’s even possible to send log messages via SMS to the attacker’s number.” continues Kaspersky.
“As the screenshot above shows, the malware has its own command syntax that represents a combination of characters while the “#” symbol is a delimiter. A full list of all possible commands with descriptions can be found in Appendix II below.”
Experts discovered a hidden menu that could be used for manual operator control, it can be activated if the operator calls the hardcoded number “9909” from the infected device.
Kaspersky included in the report the IoCs.