Dozens of Italian-language applications found serving the infamous Exodus spyware

• Most of the mobiles users in Italy are infected by the spyware.
• Google confirmed that a total of 25 variants of the spyware were being distributed via malicious apps.

A new campaign that distributes spyware via dozens of infected Italian-language service applications has been discovered recently. The infected apps are available on the Google Play Store and are believed to have been downloaded for more than a thousand times by mobile users in Italy.

What’s the matter - Researchers from SecurityWithoutBorders (SWB), the non-profit organization, have identified a new campaign that is used to deliver the infamous Exodus spyware. The spyware is disguised as dozens of service apps from mobile operators for propagation. Apparently, both the Google Play Store pages and the malicious apps are in the Italian language.

“According to publicly available statistics, as well as confirmation from Google, most of these apps collected a few dozens of installations each, with one case reaching over 350. All of the victims are located in Italy,” the researchers noted.

Who’s the culprit - On further investigation, it was found that the Exodus spyware's platform has been developed by an Italian company called eSurv which primarily operates in the business of video surveillance.

Once the Exodus is executed, it can perform a series of nefarious activities. The malware is equipped with extensive collection and interception capabilities and can expose the infected devices to further compromise or data tampering.

The functionalities of Exodus spyware include retrieving a list of installed applications, recording phone calls in 3gp format, extracting the calls log, taking pictures with the embedded camera, extracting the address book, taking screenshots of any app, extracting information from the Gmail app, stealing all SMS messages and more.

Google confirmed that a total of 25 variants of the spyware were being distributed via malicious apps.

How does the campaign operate - The attack is executed in two stages.

• Firstly, one of the infected apps is downloaded on to a victim’s device. This unleashes the Exodus 1 malware which is capable of grabbing the device’s basic info such as the phone number and other sensitive details.
• Then, the downloaded Exodus 1 malware executes the primary stage 2 payload.

What actions were taken - SWB has informed Google about the campaign, who later investigated and removed the malicious apps.

“While Google did not share with us the total number of infected devices, they confirmed that one of these malicious apps collected over 350 installations through the Play Store, while other variants collected few dozens each, and that all infections were located in Italy. We have directly observed multiple copies of Exodus with more than 50 installs and we can estimate the total number of infections to amount in the several hundred, if not a thousand or more,” researchers added in their blog.