Commercial Exaspy spyware used to target high-level executives

Security researchers at Skycure have discovered a new commodity Android Spyware, dubbed Exaspy, targeting high-level executives.

While in many countries the number of Smartphone and Tables is greater of desktop PC, new threats are targeting mobile devices.

Researchers at Skycure have discovered a new strain of Android spyware, dubbed Exaspy, that has been used in targeted attacks against high-level executives.

Researchers from Skycure discovered an instance of the Exaspy malware that was installed on an Android 6.0.1 device owned by a Vice President at an unnamed company.

One of the most interesting aspects of this Android malware is that it requires manual installation on the target device, this implies that attackers have to physical access the smartphone.

Below the analysis provided by Skycure, it is interesting to note that the Exaspy malware needs admin rights for its execution and a license number.

“Interestingly, this malware actually requires an end user to perform the initial installation steps, meaning physical access to the device is required at installation time. Here is how the app installs itself when it runs for the first time:

  1. Malware requests access to device admin rights
  2. Asks (nicely) for a licence number
  3. Hides itself
  4. Requests access to root (if the device is rooted and managed through popular rooting apps). Once granted, it installs itself as a system package to make its uninstallation process harder.”

Once the malware is installed on the device, it is able to access the victim’s chats and messages (SMS, MMS, Facebook Messenger, Google Hangouts, Skype, Gmail, native email client, Viber, WhatsApp, etc.).

On the infected device, the app runs under the name of Google Services leveraging the package name “,” this allows it masquerading the legitimate Google Play Services.

The Exaspy malware is able to record surrounding audio and victim’s calls, it can access photos on the device, it can take screenshots, and access many other user data, including the browser history and call logs.

The malware tries to transfer stolen data to C&C in presence of connectivity and waits for commands.

“The CNC (command and control) server is able to perform requests of its own, which include:

  1. Monitor and transmit local files, such as photos and videos taken.
  2. Execute shell commands, or spawn a reverse shell, which allows the app to elevate its privileges using exploits that are not included in the basic package.”

The spyware communicates with a server at hxxps:// hosted in Google Cloud, it can download updates from the hard-coded URL hxxp://

Mobile malware is a privileged instrument for hackers that attempt targeting high-profile individuals, recently experts discovered another commercial spyware called Pegasus that was developed by the Israeli firm NSO Group.

I have forgotten to tell you that the Exaspy spyware is being sold as a $15-a-month turnkey service online.

What is the next commercial spyware?

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Exaspy spyware, Android)

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.