New BusyGasper Variant Spying Android Devices with Impunity
The Android platform is again in the cybersecurity news headlines this week, this time around with the persistent spread of BusyGasper spyware. According to Kaspersky Labs, BusyGasper has been in existence since May 2016 however, it didn’t capture the public’s attention due to a very low infection rate and only concentrated in the Russian Federation.
The spyware seems to have a new variant which an infected device can become a zombie. This means all the sensors on the mobile device gets monitored, user data will be mined for its authors and can track messaging apps and send the conversations to the cybercriminals. BusyGasper is also updated to workaround the system-wide Doze battery saving mode of Android Marshmallow and newer, this keeps the spyware running in the system all the time.
The key, unique feature of BusyGasper compared to other spyware targeting the Android platform is its use of the IRC protocol to phone home to its authors, via a domain located in Russia named Ucoz. Its data mining capability is very sophisticated, as it can open email accounts set up on the device earlier and extract as much info as it needs.
“Among the other data gathered were SMS banking messages that revealed an account with a balance of more than US$10,000.But as far as we know, the attacker behind this campaign is not interested in stealing the victims’ money. We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor. At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware,” said Alexey Firsh, Kaspersky Lab’s Malware Analyst.
BusyGasper is deployed to an Android device in stages, with its first stage’s goal of opening a communication line between the infected device and the spyware’s authors, using the old but still reliable IRC protocol. The spyware will then have the capability to execute the following commands under the first stage:
|@server||Set IRC server (default value is “irc.freenode.net”), port is always 6667|
|@boss||Set IRC command and control nickname (default value is “ISeency”)|
|@nick||Set IRC client nickname|
|@screen||Report every time when screen is on (enable/disable)|
|@root||Use root features (enable/disable)|
|@timer||Set period of IRCService start(0)|
|@hide||Hide implant icon|
|@unhide||Unhide implant icon|
|@run||Execute specified shell|
|@broadcast||Send command to the second module|
|@echo||Write specified message to log|
|@install||Download and copy specified component to the system path|
The second stage sets-up the spying and email infrastructure in the device. “The implant is able to spy on all available device sensors and to log registered events. Moreover, there is a special handler for the accelerometer that is able to calculate and log the device’s speed. The implant can log in to the attackers email inbox, parse emails for commands in a special “Cmd” folder and save any payloads to a device from email attachments. Emergency SMS commands. If an incoming SMS contains one of the following magic strings: ‘ 2736428734’ or ‘7238742800’ the malware will execute multiple initial commands,” explained Firsh
The third stage installs the keylogger component that monitor’s the Android’s keyboard app. “Immediately after activation, the malware creates a textView element in a new window, all these parameters ensure the element is hidden from the user. Then it adds onTouchListener to this textView and is able to process every user tap. The listener can operate with only coordinates, so it calculates pressed characters by matching given values. the keylogger can make a screenshot of the tapped display area,” emphasized Firsh.
It is highly recommended that Android users be cautious about where they source their apps. The Google Play Store is the only source where Google can scan apps for malware in an automated fashion using the Google Play Protect technology. Sideloading apps by enabling “Unknown Sources” option in Android increases the likelihood of installing apps with an embedded malware.