Exaspy – Commodity Android Spyware Targeting High-level Executives


We’re coming into a brand new period of cellular threats as Android spy ware evolves to turn out to be a
commodity product. What which means is that you simply now not want deep technical experience to hack into somebody’s cellular machine. The spy ware attackers want is now out there on-line for straightforward buy and use, much like the instruments out there for operating DDoS assaults towards
web sites. It is a important step within the evolution of cellular malware, and one which can make proactive cellular risk protection for IT that rather more essential.

Final month, Skycure Research Labs detected a pretend app inside one in all our buyer’s
organizations, recognized by means of our crowd-sourced intelligence insurance policies (whereby anybody
operating the Skycure cellular app acts as a risk detecting sensor). This buyer is a world expertise firm, which deployed Skycure’s Enterprise Cell Menace Protection answer for all iOS and Android units inside their group. This incident occurred on an Android 6.zero.1 machine, owned by one of many firm’s Vice Presidents. The shopper has given us approval to share a few of the particulars concerning the Adware app that Skycure found.

Screenshot of the primary display of Exaspy. That is what a person will see when he launches the
app for the primary time, earlier than hiding the app and putting in it as a system bundle.

What we discovered
The sufferer’s Android machine was contaminated with a malicious app, recognized as Exaspy, which is a business Android spy ware bundle that provides an attacker entry to lots of the sufferer’s knowledge, which incorporates:

  1. Chats and messages: SMS, MMS, Fb Messenger, Google Hangouts, Skype,
    Gmail, native electronic mail shopper, Skype, Viber, WhatsApp and extra.
  2. Audio: Means to file audio it captures within the background or whereas on phone calls.
  3. Photos: Entry to your image library, but additionally the flexibility to take secret screenshots of
    your machine.
  4. Historical past: Accumulate contact lists, calendars, browser historical past, name logs, and extra.

The CNC (command and management) server is ready to carry out requests of its personal, which embody:

  1. Monitor and transmit native information, similar to photographs and movies taken.
    1. Execute shell instructions, or spawn a reverse shell, which permits the app to raise
      its privileges utilizing exploits that aren’t included within the fundamental bundle.
      The potential injury to the top person right here is big, which makes the compounded danger to an enterprise considerably worse. Listed below are just some of the situations an enterprise might face with a malicious cellular app like this operating on their cellular units:
      ● Assortment of confidential firm info , which could embody monetary
      info, mental property, product info, stealth recordings of confidential conferences, and extra.
      ● Having the attacker blackmail the enterprise into paying giant sums of cash to
      stop leaking the data obtained.

The way it works
Primarily based on Skycure Analysis Labs dissection of the Exaspy malware, we’ve been in a position to
establish some key traits about how the malware operates. Apparently, this malware truly requires an finish person to carry out the preliminary set up steps, which means bodily entry to the machine is required at set up time. Right here is how the app installs itself when it runs for the primary time:

  1. Malware requests entry to machine admin rights
  2. Asks (properly) for a license quantity
  3. Hides itself1
  4. Requests entry to root (if the machine is rooted and managed by means of standard rooting
    apps ). As soon as granted, it installs itself as a system 2 bundle to make its uninstallation course of tougher.

Notice that though root entry could also be refused by the SU supervisor (similar to
SuperSU), as soon as CNC connection is initiated, the server can ship a root exploit to
carry out this itself.

As soon as the app is efficiently put in, it runs on the cellular machine within the following method:

  1. The app is called “Google Companies” and makes use of the bundle title “com.android.shield”.
    1. It is a clear disguise of Google Play Services , a well-liked suite of APIs Android
      apps can make the most of for enriching their apps (push notifications, maps, and so forth).
  2. The app communicates with the next servers:
    1. hxxps://api.andr0idservices.com (, Conveniently hosted
      in Google Cloud)
    2. Downloads updates from the hard-coded URL
  3. The app will robotically cover itself from the launcher (by disabling its fundamental exercise
  4. The app will disable Samsung’s SPCM service and com.samsung.android.smcore four
  5. bundle so it could run within the background with out Samsung’s service killing it.
    5. The app may also set up itself as a system bundle to forestall removing by the person.

Why is that this attention-grabbing?
Adware apps for Android and iOS have been round for a very long time. Nevertheless just a few
high-profile instances appear to point a disturbing pattern in sophistication and prevalence of assaults on high-profile people. Notice the latest Pegasus Adware used on an Emirates human rights advocate by his authorities, and the assaults on Democratic party officers’ cellphones.

Traditional anti-malware merchandise nonetheless don’t do job of detecting them. The basic method requires making a signature for each new household of malware. This signature may be a string throughout the executable, a linked library or a compiled code pattern.

Creating such signatures requires a handbook inspection of the pattern and this is the reason conventional anti-virus and anti-malware software program options want frequent updating, take lots of time to run, and don’t all the time succeed.

One other method includes executing an app in a sandbox (dynamic evaluation) which may detect components of those threats. As we’ve proven in AppSecEU 16, although, malicious apps can simply go away malicious code out when a sandbox is detected.

On this case, knowledge gathered from Skycure’s crowd-sourced intelligence equipment confirmed this app as an anomaly. IT directors ought to concentrate on the good variety of Adware apps attackers should purchase simply on-line for utilizing these sorts of assaults.

How do I shield myself and my finish customers?

  1. To guard towards assaults that require bodily entry to your machine:
    a. Arrange PIN codes and fingerprint authentication
    b. Disable USB debugging
    c. Be certain OEM Unlocking is turned off
  2. Often examine Android’s Machine Directors record and disable parts you don’t
  3. Set up Skycure’s Cell Menace Protection answer, which protects customers towards these and
    different kinds of threats
  4. Keep away from downloading apps from untrusted shops
  5. Don’t give particular permissions to apps that shouldn’t require them

Cell assaults used to require a particular degree of talent which made them extra uncommon, however in at present’s market it’s simple for anybody to pay their solution to being a risk. The Exaspy malware, which we have now outlined above, is simply a type of packages that IT professionals have to defend towards. And that protection is extra essential than ever when you think about statistics like:

  • The typical value of an information breach is 4 million , in response to IBM
  • 27% of customers are operating a cellular OS that’s outdated, in response to Skycure’s quarterly mobile threat report
  • 45% of cellular units will face a community assault throughout the first four months of monitoring,
    additionally in response to Skycure’s quarterly risk report

Once you add up these stats and mix it with threats like Exaspy, it’s clear that IT needs to be proactive in at present’s cellular market. It solely takes malware on one person’s machine to place all the group in danger. We encourage all IT professionals to learn extra on how one can leverage platforms like Skycure’s Enterprise Mobile Threat Defense answer to maintain person’s secure.

Technical particulars
Listed below are some extra technical particulars that will assist IT professionals establish this app of their group:

Identified hashes:
● 9725c1bf9483ff41f226f22bd331387c187e9179
● c4826138e07636af1eeb6008e580704575ec1bc7
● 4bf89c3bf4fb88advert6456fe5642868272e4e2f364
● c4826138e07636af1eeb6008e580704575ec1bc7
● f1fbebc2beafe0467ee00e69b3f75719cdbbd693

Bundle names:
● com.android.shield

Public key info:
● Topic: /O=Exaspy/OU=Exaspy/CN=Exaspy
● Fingerprint: c5c82ecf20af94e0f2a19078b790d843 4ccedb59

1. To indicate the hidden app, a person ought to dial ‘11223344’
2. SuperSU, kingouser, SuperUser by noshufou
three. An IP belonging to 130.211.eight.zero/21, listed underneath _cloud netblocks4.googleusercontent.com
four. BuildProp.setProp(“sys.config.spcm_enable”, “false”);
BuildProp.setProp(“sys.config.spcm_gcm_kill_enable”, “false”);
5. That is achieved by executing pm disable com.samsung.android.smcore by way of a root shell.


Please enter your comment!
Please enter your name here