BusyGasper is one of the latest mobile spyware implants used for snooping on Android users.
According to Kaspersky Lab research, the spyware has been in operation from May 2016 but it has come into focus only recently, as there were very few victims—all of whom were based in Russia.
Loaded with Features
The Android malware comes with device sensors or listeners and motion detectors, which can access data from apps like WhatsApp and Facebook. It also supports around 100 commands.
It is able to download payloads from a C&C (command-and-control) server which belongs to Ucoz, a Russian webhosting service.
In addition, the BusyGasper malware has the ability to log in to the victim’s email inbox, parse emails, and save payloads using email attachments.
Unsophisticated Malware
BusyGasper is currently being implanted on mobile devices manually and that is the reason very few people have been victims to it; in fact, less than 10 in number, all from Russia.
It seems to be a small campaign, but it is effective in collecting data from Android devices and exfiltrating it. It is not a sophisticated malware but comes with loaded features.
The author of this malware has not been identified, but the FTP server belongs to Ucoz. The Russian connection is further reinforced based on the names of victims.
Two Modules
There seem to be two modules for the malware. One module is the implant that gets installed on the Android device.
After installation, the attacker gives instructions using the IRC protocol. For instance, the hacker can give an instruction to download BusyGasper from its FTP (file transfer protocol) server.
The communication technology used is rather complex, according to a report by Kaspersky Lab researcher Alexey Firsh.
The second module adds to the functionality of the malware. For instance, it triggers a command to the device remotely, whereby the hacker can send messages for triggering a particular action.
Manual Installation
There is no sign of spear phishing as far as the infection vector is concerned. According to the research by Kaspersky Lab, there is a hidden menu that can be controlled by the attacker.
This shows that the installation of the malware is done manually.
This means that the hackers access the victim’s Android phone physically and then install the spyware. That could be the reason why there are very few victims and all these victims are from one country.
Unique and Original
According to Firsh‘s report, the malware is unique and original and contains some special features that stand out. The support for IRC protocol is rare in Android spyware.
In addition, the spyware is capable of logging into inboxes, as well as saving payloads from email attachments.
The authors of BusyGasper have created device screens and assigned values to the keyboard layout areas.
The malware is able to identify the characters that are pressed on the keyboard by matching the values it has given to it with the ones that are hardcoded.
The BusyGasper malware is, therefore, an implant that can be compared to an unfriendly spy on an Android mobile phone. It can even bypass Doze, the battery saver.
The keylogging tools are unique, as it is able to process every tap made by the user. After processing it, it collects the positions and calculates the characters that were tapped.
Android Devices Targeted
The devices that are targeted by the BusyGasper malware are generally ASUS hardware that runs on the Android operating system.
As for the objective, it also seems clear that the hackers behind BusyGasper are not interested in attacking victims for their money.
There is no similarity between this spyware and other commercial malware products either, so it must be a self-developed spyware created by a single actor.
The creators also seem to be non-professionals, as there is no encryption for protecting the communications. In addition, the researchers also discovered that the malware authors used public FTP servers.
Victims Identified
The victims have been identified with Russian names like Jana, SlavaAl and Nikusha. Based on the FTP analysis, the researchers also noted a part from ASUS firmware, thereby showing that the hackers were interested in ASUS devices, with one of the victim files mentioning ASUS.