Android spyware has been around and active for over two years, researchers said.
BusyGasper is the malware and it includes device sensors listeners (such as motion detectors), it can also exfiltrate data from messaging applications (WhatsApp, Viber, Facebook), includes keylogging capabilities, and supports 100 commands, said researchers at Kaspersky Lab.
Featuring a multicomponent architecture, the malware can download payloads and updates from the command and control (C&C) server, an FTP server belonging to the free Russian web hosting service Ucoz.
The spyware also includes support for the IRC protocol and can “can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments,” Kaspersky researchers said.
The malware, researchers said, appears to be installed manually, likely through physical access to a compromised device. Thus, fewer than 10 victims have been identified to date, all of them located in Russia.
The attackers collected victims’ personal data, including messages from IM applications, and SMS banking messages, yet the actor doesn’t appear interested in stealing the victims’ money.
An initial module installed on the targeted device can be controlled over the IRC protocol and allows operators to deploy additional components. The module apparently has root privileges, yet the researchers found no evidence of an exploit being used to obtain such rights.