Analecta Cyber Company Blog: Android Malware Exaspy found Targeting Executives


Android Malware Exaspy found Targeting Executives

Android Malware Exaspy found Targeting Executives
Researchers at Skycure Research Labs have identified a malicious Android application on a senior executive's mobile phone. The malware is disguised as a legitimate application and may be difficult to distinguish from other applications in the Android application store. Once installed the malware hides itself on the device by renaming itself "Google Services." Read on for capabilities, signatures and other artifacts.

Affected Data & Services

The Exaspy malware is offered as a low-cost turn-key spyware offering and has extensive capabilities to spy on nearly all the features of an Android device. Features of the malware include the ability for a remote attacker to access:

- Facebook Messenger conversations
- Google Hangouts conversations
- Texts, SMS and MMS messages
- Email contents
- Skype conversations
- Viber and WhatsApp conversations
- Photos and videos on the device
- History of your browser activity
- Telephone history
- Take screenshots on the device

More troubling still, the malware is able to turn on the microphone and record all audio - both from telephone conversations as well as background (or ambient) audio.

Identifying the malware

Current versions of the malware can be identified in a few different ways.

Network Artifacts

You may be able to identify the malicious software through network analysis, specifically identifying DNS requests for the following domains:

Currently the downloaded updates are named "a.apk" and are downloaded over unencrypted HTTP (the hard-coded URL hxxp:// was active at the time of this writing).

Filesystem Artifacts

The following SHA1 values reflect known files associated with Exaspy:

Android OS Specific Artifacts

The application is named “Google Services”.
The package name is “”.

Certificate Related Artifacts

Subject: /O=Exaspy/OU=Exaspy/CN=Exaspy
Fingerprint: c5c82ecf20af94e0f2a19078b790d8434ccedb59

No comments :

Post a Comment