A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation.
Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.
Analyzing its functions, the researchers noticed a feature in BusyGasper that allows it to calculate the device's speed. The spyware uses this information to determine when the phone is not used by the victim and make the device look as if it were in standby mode while being in an active state.
It uses a command "that mutes the device, disables keyguard, turns off the brightness, uses wake lock and listens to device sensors," Kaspersky's Alexey Firsh writes in the analysis.
BusyGasper immediately runs an instruction that disables its backdoor operations when the victim picks up the phone and then simulates the pressing of the Home button to minimize current activities.
The spyware can also access the logs from other sensors (air temperature and pressure), which could provide the attacker with more information about the conditions of the victim's whereabouts.
Although BusyGasper appears to be active since 2016, it is not widespread and seems to be the work of a single threat actor with little experience in running malware campaigns.
The researchers noticed that the developer did not implement an encryption component in the spyware and used a free public FTP server (Russian web hosting provider Ucoz) for command and control.
The command and control server contained text files with commands and victim identifiers. It looks like the spying tool infected only seven phones, but three of them appear to be test devices.
The malware has access to an email inbox belonging to the attacker where it can look for new commands and payloads in a particular folder. It also uses the address to exfiltrate the data from compromised devices.
Firsh says that the information in the email account included a large cache of the victims' personal data, as well as messages from IM apps.
"Among the other data gathered were SMS banking messages that revealed an account with a balance of more than US$10,000.But as far as we know, the attacker behind this campaign is not interested in stealing the victims’ money," the researcher added.
The keylogging feature has been implemented in an original way by the author of BusyGasper.
First, it records all the taps on the screen and collects their coordinates. Next, it determines the characters by matching their location to a set of hardcoded values.
After installation, it creates a TextView component in a new window, which is capable to show text. Specific parameters are used to make the element invisible to the user.
To make sure that it gets all the details correctly, the keylogger can also take a screenshot of the areas tapped by the victim.
Delivering the malware to the target seems to happen manually, with the attacker physically accessing the phone to install the implant. The conclusion is supported by lack of evidence of spear phishing or other common vectors.