Commercial Exaspy spyware used to target high-level executives

Security researchers at Skycure have discovered a new commodity Android Spyware, dubbed Exaspy, targeting high-level executives.

While in many countries the number of Smartphone and Tables is greater of desktop PC, new threats are targeting mobile devices.

Researchers at Skycure have discovered a new strain of Android spyware, dubbed Exaspy, that has been used in targeted attacks against high-level executives.

Researchers from Skycure discovered an instance of the Exaspy malware that was installed on an Android 6.0.1 device owned by a Vice President at an unnamed company.

One of the most interesting aspects of this Android malware is that it requires manual installation on the target device, this implies that attackers have to physical access the smartphone.

Below the analysis provided by Skycure, it is interesting to note that the Exaspy malware needs admin rights for its execution and a license number.

“Interestingly, this malware actually requires an end user to perform the initial installation steps, meaning physical access to the device is required at installation time. Here is how the app installs itself when it runs for the first time:

1. Malware requests access to device admin rights
2. Asks (nicely) for a licence number
3. Hides itself
4. Requests access to root (if the device is rooted and managed through popular rooting apps). Once granted, it installs itself as a system package to make its uninstallation process harder.”

Once the malware is installed on the device, it is able to access the victim’s chats and messages (SMS, MMS, Facebook Messenger, Google Hangouts, Skype, Gmail, native email client, Viber, WhatsApp, etc.).

On the infected device, the app runs under the name of Google Services leveraging the package name “com.android.protect,” this allows it masquerading the legitimate Google Play Services.

The Exaspy malware is able to record surrounding audio and victim’s calls, it can access photos on the device, it can take screenshots, and access many other user data, including the browser history and call logs.

The malware tries to transfer stolen data to C&C in presence of connectivity and waits for commands.

“The CNC (command and control) server is able to perform requests of its own, which include:

1. Monitor and transmit local files, such as photos and videos taken.
2. Execute shell commands, or spawn a reverse shell, which allows the app to elevate its privileges using exploits that are not included in the basic package.”

The spyware communicates with a server at hxxps://api.andr0idservices.com hosted in Google Cloud, it can download updates from the hard-coded URL hxxp://www.exaspy.com/a.apk.

Mobile malware is a privileged instrument for hackers that attempt targeting high-profile individuals, recently experts discovered another commercial spyware called Pegasus that was developed by the Israeli firm NSO Group.

I have forgotten to tell you that the Exaspy spyware is being sold as a $15-a-month turnkey service online.

What is the next commercial spyware?

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Exaspy spyware, Android)