The non-profit security organization Security Without Borders (SWB) has identified a campaign utilizing Italian-language service applications from mobile operators apps that instead of doing their stated function are in fact spyware.
The groups report stated that dozens of infected apps had been found in the Google Play store with a possible download total in the thousands. The spyware is quite invasive copying and eventually extracting not only the phone’s data, but information from the other apps on the device. This includes Facebook contact lists, Facebook Messenger, Telegram, WeChat and WhatApp among many others.
The organization, which dubbed the malware Exodus, said it has been operating since 2016. Google has been informed and has removed the apps, but the malicious actors behind the campaign have been known to re-establish them on Google Play. Google confirmed to SWB that about 25 variants of Exodus have been found and removed.
An attack takes place in two stages. After an infected app is downloaded the first stage, dubbed Exodus 1, grabs the device’s basic info, such as the phone number, to validate the target. Stage two has Exodus 1 dynamically load and execute the primary stage 2 payload.
“Of the various binaries downloaded, the most interesting are null, which serves as a local and reverse shell, and rootdaemon, which takes care of privilege escalation and data acquisition. rootdaemon will first attempt to jailbreak the device using a modified version of the DirtyCow exploit,” the report stated.
The stolen data is temporarily stored on the device’s SD card for eventual downloading by the command and control server.