Security experts discovered a new Android spyware called Exaspy which is used in attacks against high-level company executives.
Exaspy Android Spyware Targets Executives
Security researchers have discovered a new Android spyware strain called Exaspy which is used in coordinated attacks against high-level company executives. Reports from malware experts indicate that the threat is old as a subscription package for 15 US dollars a month. Its capabilities include interception of almost all phone-based communications such as phone calls, text messages, Skype messages, photos and etc.
The first reported instances of Exaspy were reported in September when a customer of Skycure Research Labs reported a counterfeit application named Google Services that was running on one of the devices owned by a high-level executive. The application was running with full administrative rights according to the Skycure experts.
The current version of Exaspy are compatible only with the Android operating system at this moment and installation is possible through physical access to the devices. According to the security analysis the spyware has not used any typical infection methods such as binary file distribution via email spam or malicious ads.
Upon infection the virus disguises itself by renaming itself as “Google Services”. During installation it does not generate its own icon on the launcher. And according to the researchers it is currently not detected by most anti-virus and anti-spyware solutions.
The spyware has a wide range of capabilities including the following:
- Execute remote arbitrary shell commands
- Spawn a reversible shell for remote access
- Transfer of files to remote malicious servers
- The ability to record captured audio in the background or telephone calls
- Access the photos library and and take covert screenshots of the device
- Collect contact lists, calendars, browser history, call logs and etc.
An interesting characteristic of the virus is that the remote malicious command and control (C&C) servers are hosted on Google’s Cloud services and the payload is downloaded from a hard-coded URL.
How To Protect From The Exaspy Spyware
The Skycure security team recommends people to follow a few suggestions to improve their security and defend themselves from attacks that involve physical access to their devices, including Exaspy:
- Set up PIN code access to the lock screen and a fingerprint authentication
- Disable USB debugging mode
- Turn off the OEM Unlocking feature
- Regularly check the Android device administrators list and disable untrusted components
- Use proactive anti-spyware solutions
- Do not download apps from untrusted sources
- Do not give permissions to apps that should not require them