Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Android spyware BusyGasper has many features, but few known victims

A newly discovered mobile malware implant nicknamed BusyGasper might leave a few Android users breathless, if they knew about the unusual set of features the spyware uses to snoop on them.

In an Aug. 29 blog postKaspersky Lab researcher Alexey Firsh reports that BusyGasper has existed since at least May 2016. But there's a good reason it's managed to fly under the radar until recently: there are fewer than 10 victims, all apparently based in Russia. (And two of these may be test devices.) In fact, Kaspersky believes the infection vector for this limited allotment of devices could be a manual installation method that requires physical access to the targeted equipment.

In its current form, the modular malware can reportedly issue around 100 commands, and its capabilities include spying on-device sensors (including motion detectors), exfiltrating data from messaging apps (e.g., WhatsApp, Viber and Facebook), keylogging, and bypassing the Doze battery saver.

From an architectural standpoint, BusyGasper uses the IRC (Internet Relay Chat) protocol (rare for Android malware) to communicate with its command-and-control FTP server, which has been sourced to the free Russian web hosting service Ucoz. Additionally, it can receive C2 instructions by logging into the attacker's email inbox and searching for commands, as well as malicious payloads in the form of email attachments.

Further analysis of the FTP server revealed multiple TXT files featuring victim identifiers, as well as an ASUS firmware component. And an investigation of the attackers' email account turned up additional personal data on victims, including messages from IM applications.

"We found no similarities to commercial spyware products or to other known spyware variants, which suggests BusyGasper is self-developed and used by a single threat actor," the blog post states. "At the same time, the lack of encryption, use of a public FTP server and the low opsec level could indicate that less skilled attackers are behind the malware."

According to Kaspersky, BusyGasper's initial module primarily enables C&C communication and the downloading of other components. The second, main module logs the malware's the command execution history and introduces most of the spying and C&C email capabilities. There is also a separate keylogger component.

Moreover, researchers found a hidden menu for controlling implant features that "looks like it was created for manual operator control," Firsh writes. "To activate this menu, the operator needs to call the hardcoded number '9909' from the infected device" -- another indicator that the attacker may be in close proximity to the targeted device.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.