A newly discovered mobile malware implant nicknamed BusyGasper might leave a few Android users breathless, if they knew about the unusual set of features the spyware uses to snoop on them.
In an Aug. 29 blog post, Kaspersky Lab researcher Alexey Firsh reports that BusyGasper has existed since at least May 2016. But there’s a good reason it’s managed to fly under the radar until recently: there are fewer than 10 victims, all apparently based in Russia. (And two of these may be test devices.) In fact, Kaspersky believes the infection vector for this limited allotment of devices could be a manual installation method that requires physical access to the targeted equipment.
In its current form, the modular malware can reportedly issue around 100 commands, and its capabilities include spying on device sensors (including motion detectors), exfiltrating data from messaging apps (e.g., WhatsApp, viber and Facebook), keylogging, and bypassing the Doze battery saver.
From an architectural standpoint, BusyGasper uses the IRC (Internet Relay Chat) protocol (rare for Android malware) to communicate with its command-and-control FTP server, which has been sourced to the free Russian web hosting service Ucoz. Additionally, it can receive C2 instructions by logging into the attacker’s email inbox and searching for commands, as well as malicious payloads in the form of email attachments.
Further analysis of the FTP server revealed multiple TXT files featuring victim identifiers, as well as an ASUS firmware component. And an investigation of the attackers’ email account turned up additional personal data on victims, including messages from IM applications.
“We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor,” the blog post states. “At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware.”
According to Kaspersky, BusyGasper’s initial module primarily enables C&C communication and the downloading of other components. The second, main module logs the malware’s the command execution history and introduces most of the spying and C&C email capabilities. There is also a separate keylogger component.
Moreover, researchers found a hidden menu for controlling implant features that “looks like it was created for manual operator control,” Firsh writes. “To activate this menu, the operator needs to call the hardcoded number ‘9909’ from the infected device” — another indicator that the attacker may be in close proximity to the targeted device.