We are entering a new era of mobile threats as Android spyware evolves to become a commodity product. What that means is that you no longer need deep technical expertise to hack into someone’s mobile device. The spyware attackers need is now available online for easy purchase and use, similar to the tools available for running DDoS attacks against websites. This is a significant step in the evolution of mobile malware, and one which will make proactive mobile threat defense for IT that much more crucial.
Background
Early September, Skycure Research Labs (now part of Symantec) detected a fake app within one of our customer’s organizations, identified through our crowd-sourced intelligence policies (whereby anyone running the SEP Mobile app acts as a threat detecting sensor). This customer is a global technology company, which deployed Skycure’s Enterprise Mobile Threat Defense solution (now Symantec Endpoint Protection Mobile) for all iOS and Android devices within their organization. This incident happened on an Android 6.0.1 device, owned by one of the company’s Vice Presidents. The customer has given us approval to share some of the details about the Spyware app that Skycure discovered.
What we found
The victim’s Android device was infected with a malicious app, identified as Exaspy, which is a commercial Android spyware package that gives an attacker access to a lot of the victim’s data, which includes:
- Chats and messages: SMS, MMS, Facebook Messenger, Google Hangouts, Skype, Gmail, native email client, Skype, Viber, WhatsApp and more.
- Audio: Ability to record audio it captures in the background or while on telephone calls.
- Pictures: Access to your picture library, but also the ability to take secret screenshots of your device.
- History: Collect contact lists, calendars, browser history, call logs, and more.
The CNC (command and control) server is able to perform requests of its own, which include:
- Monitor and transmit local files, such as photos and videos taken.
- Execute shell commands, or spawn a reverse shell, which allows the app to elevate its privileges using exploits that are not included in the basic package.
The potential damage to the end user here is huge, which makes the compounded risk to an enterprise significantly worse. Here are just a few of the scenarios an enterprise could face with a malicious mobile app like this running on their mobile devices:
- Collection of confidential company information, which might include financial information, intellectual property, product information, stealth recordings of confidential meetings, and more.
- Having the attacker blackmail the enterprise into paying large sums of money to prevent leaking the information obtained.
How it works
Based on our research lab's dissection of the Exaspy malware, we’ve been able to identify some key characteristics about how the malware operates. Interestingly, this malware actually requires an end user to perform the initial installation steps, meaning physical access to the device is required at installation time. Here is how the app installs itself when it runs for the first time:
- Malware requests access to device admin rights
- Asks (nicely) for a licence number
- Hides itself
- Requests access to root (if the device is rooted and managed through popular rooting apps). Once granted, it installs itself as a system package to make its uninstallation process harder.
Note that although root access may be refused by the SU manager (such as SuperSU), once CNC connection is initiated, the server can send a root exploit to perform this itself.
Once the app is successfully installed, it runs on the mobile device in the following manner:
- The app is named “Google Services” and uses the package name “com.android.protect”.
- This is a clear disguise of Google Play Services, a popular suite of APIs Android apps can utilize for enriching their apps (push notifications, maps, etc).
- The app communicates with the following servers:
- hxxps://api.andr0idservices.com (130.211.9.200, Conveniently hosted in Google Cloud)
- Downloads updates from the hard-coded URL hxxp://www.exaspy.com/a.apk
- The app will automatically hide itself from the launcher (by disabling its main activity component).
- The app will disable Samsung’s SPCM service and com.samsung.android.smcore package so it can run in the background without Samsung’s service killing it.
- The app will also install itself as a system package to prevent removal by the user.
Sample code from Exaspy’s Skype parsing module
Why is this interesting?
Spyware apps for Android and iOS have been around for a long time. However a few high-profile cases seem to indicate a disturbing trend in sophistication and prevalence of attacks on high-profile individuals. Note the recent Pegasus Spyware used on an Emirates human rights advocate by his government, and the attacks on Democratic party officials’ mobile phones.
Classic anti-malware products still don’t do a good job of detecting them. The classic approach requires creating a signature for every new family of malware. This signature might be a string within the executable, a linked library or a compiled code sample. Creating such signatures requires a manual inspection of the sample and this is why traditional anti-virus and anti-malware software solutions need frequent updating, take a lot of time to run, and don’t always succeed.
Another approach involves executing an app in a sandbox (dynamic analysis) which can detect parts of these threats. As we’ve shown in AppSecEU 16, though, malicious apps can easily leave malicious code out when a sandbox is detected.
In this case, data gathered from SEP Mobile's crowd-sourced intelligence apparatus showed this app as an anomaly. IT administrators should be aware of the great number of Spyware apps attackers can purchase easily online for using these kinds of attacks.
How do I protect myself and my end users?
- To protect against attacks that require physical access to your device:
- Set up PIN codes and fingerprint authentication
- Disable USB debugging
- Make sure OEM Unlocking is turned off
- Regularly check Android’s Device Administrators list and disable components you don’t trust
- Install the SEP Mobile solution, which protects users against these and other kinds of threats
- Avoid downloading apps from untrusted stores
- Don’t give special permissions to apps that shouldn’t require them
Conclusion
Mobile attacks used to require a special level of skill which made them more rare, but in today’s market it is easy for anyone to pay their way to being a threat. The Exaspy malware, which we have outlined above, is just one of those packages that IT professionals need to defend against. And that defense is more crucial than ever when you consider statistics like:
- The average cost of a data breach is four million dollars, according to IBM
- 27% of users are running a mobile OS that is outdated, according to Skycure’s quarterly mobile threat report
- 45% of mobile devices will face a network attack within the first 4 months of monitoring, also according to Skycure’s quarterly threat report
When you add up these stats and combine it with threats like Exaspy, it’s clear that IT has to be proactive in today’s mobile market. It only takes malware on one user’s device to put the entire organization at risk. We encourage all IT professionals to read more on how you can leverage platforms like Symantec Endpoint Protection Mobile solution to keep users safe.
Technical details
Here are some additional technical details that may help IT professionals identify this app in their organization:
Known hashes:
- c4826138e07636af1eeb6008e580704575ec1bc7
- 4bf89c3bf4fb88ad6456fe5642868272e4e2f364
- 9725c1bf9483ff41f226f22bd331387c187e9179
- c4826138e07636af1eeb6008e580704575ec1bc7
- f1fbebc2beafe0467ee00e69b3f75719cdbbd693
Package names:
Public key information:
- Subject: /O=Exaspy/OU=Exaspy/CN=Exaspy
- Fingerprint: c5c82ecf20af94e0f2a19078b790d8434ccedb59