A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation.

Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.

Analyzing its functions, the researchers noticed a feature in BusyGasper that allows it to calculate the device's speed. The spyware uses this information to determine when the phone is not used by the victim and make the device look as if it were in standby mode while being in an active state.

It uses a command "that mutes the device, disables keyguard, turns off the brightness, uses wake lock and listens to device sensors," Kaspersky's Alexey Firsh writes in the analysis.

BusyGasper immediately runs an instruction that disables its backdoor operations when the victim picks up the phone and then simulates the pressing of the Home button to minimize current activities.

Malware detects movement, aborts its activity

The spyware can also access the logs from other sensors (air temperature and pressure), which could provide the attacker with more information about the conditions of the victim's whereabouts.

Clues point to a less skilled attacker

Although BusyGasper appears to be active since 2016, it is not widespread and seems to be the work of a single threat actor with little experience in running malware campaigns.

The researchers noticed that the developer did not implement an encryption component in the spyware and used a free public FTP server (Russian web hosting provider Ucoz) for command and control.

Files on the C2 server

Rummaging through the data on C2 server

The command and control server contained text files with commands and victim identifiers. It looks like the spying tool infected only seven phones, but three of them appear to be test devices.

List of victims

The malware has access to an email inbox belonging to the attacker where it can look for new commands and payloads in a particular folder. It also uses the address to exfiltrate the data from compromised devices.

Firsh says that the information in the email account included a large cache of the victims' personal data, as well as messages from IM apps.

"Among the other data gathered were SMS banking messages that revealed an account with a balance of more than US$10,000.But as far as we know, the attacker behind this campaign is not interested in stealing the victims’ money," the researcher added.

Keylogging component implementation twist

The keylogging feature has been implemented in an original way by the author of BusyGasper.

First, it records all the taps on the screen and collects their coordinates. Next, it determines the characters by matching their location to a set of hardcoded values.

After installation, it creates a TextView component in a new window, which is capable to show text. Specific parameters are used to make the element invisible to the user.

TextView layout parameters

To make sure that it gets all the details correctly, the keylogger can also take a screenshot of the areas tapped by the victim.

Delivering the malware to the target seems to happen manually, with the attacker physically accessing the phone to install the implant. The conclusion is supported by lack of evidence of spear phishing or other common vectors.

Related Articles:

November Android Security Update Fixes Critical Bugs, Drops Media Library

Google’s Android Apps Are No Longer Free for European Smartphone Makers

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads

Google Accidentally Pushed Internal November 2018 Security Update to Pixel User

Cheap Android Phones and Poor Quality Control Leads to Malware Surprise