A new Android spyware called BusyGasper has recently been discovered. The spyware operation has been active since 2016 and is currently ongoing. Although BusyGasper is not considered to be all that sophisticated, the spyware has around 100 commands.
The spyware contains many unique features such as a keylogging, data-stealing abilities, and the ability to bypass the Doze battery saver. BusyGasper also contains “stand-out” features such as device sensors listeners, including motion detectors. The spyware is also capable of exfiltrating data from messaging apps like Facebook, WhatsApp and Viber.
“The sample has a multicomponent structure and can download a payload or updates from its C&C server, which happens to be an FTP server belonging to the free Russian web hosting service Ucoz,” Kaspersky Labs researchers, who discovered the BusyGasper spyware campaign, wrote in a blog. “It is noteworthy that BusyGasper supports the IRC protocol which is rarely seen among Android malware. In addition, the malware can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments.”
The spyware is not being distributed via spearphishing or any other common vector. Instead, the cybercriminals operating the malware used physical access to victim’s device to install BusyGasper. Researchers suspect that BusyGasper’s infection vector is why the spyware has only infected 10 victims - all of whom are located in Russia.
“Among the other data gathered were SMS banking messages that revealed an account with a balance of more than US$10,000.But as far as we know, the attacker behind this campaign is not interested in stealing the victims’ money,” Kaspersky researchers said. “We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor. At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware.”
BusyGasper is capable of executing backdoor activity without the victim knowing that the device is in an active state. However, as soon as the victim picks up the device, the spyware’s motion detector senses it and immediately minimizes all activities, ensuring that the victim remains unaware of all malicious activities.
“At the time of writing we had no evidence of an exploit being used to obtain root privileges, though it is possible that the attackers used some unseen component to implement this feature,” Kaspersky researchers said.