06 Sep 2018

A new Android spyware called BusyGasper which is laden with an unusual set of highly effective spyware features are wizard at collecting and exfiltrating data from Android phones.

This malware contains more than 100 unique stand-out features such as device sensor listeners, motion detectors, and the ability to detect a user’s command on touch screens.

According to Kaspersky Lab researcher Alexey Firsh, “BusyGasper is not all that sophisticated but demonstrates some unusual features for this type of threat. From a technical point of view, the sample is a unique spy implant with stand-out features… that have been implemented with a degree of originality”.

He reported in the blog that the malware existed since at least May 2016, but was maintained underground for a significant time. By using physical access to the targeting victims the attackers install this malware and attacked mainly Russia based users. As of now there are less than 10 victims all from Russia.

While searching for the infection vector no evidence of spear-phishing or any of the other common vectors were found. But some hints regarding the existence of a hidden menu for operator control, point to a manual installation method – the attackers used physical access to a victim’s device to install the malware.

The spyware has the ability to spy on-device sensors (including motion detectors), exfiltrating data from messaging apps like WhatsApp, Viber, Facebook etc. keylogging, and bypassing the Doze battery saver.

The reports say that the hackers have coded the spyware in such a way that the screen of the device assigns a definite and unique value to the layout area of the keyboard. The listener can operate with only coordinates, so it calculates pressed characters by matching given values with hardcoded ones.

According to Kaspersky, BusyGasper’s initial module primarily enables C&C communication and the downloading of other components. The second module logs the malwares, the command execution history and introduces most of the spying and C&C email capabilities. There is also a separate keylogger component.

Technical Writer,  Blogger,

Leave your thought

This site uses Akismet to reduce spam. Learn how your comment data is processed.