Researchers say they have discovered commodity Android spyware called Exaspy being used to spy on executives.
The spyware, according to Skycure Research Labs, is being sold as a $15-a-month turnkey service online and can be used to intercept nearly all phone-based communications including phone calls, text messages, Skype sessions, photos and much more.
Skycure said it discovered the spyware in September when a customer identified a fake app called “Google Services” running on one of their executive’s phones with full administrative rights, according to Elisha Eshed, researcher at Skycure. He said the victim targeted by the spyware was a high-profile executive at a global technology company. Exaspy, according to Skycure, is only compatible on Android phones and requires physical access to the phone to install the spyware.
Once installed, Exaspy hides itself on the phone by naming itself “Google Services” and installs absent of launcher icon. According to Eshed, the spyware currently is not detected by most mobile security scanners. Once installed, the spyware can “execute shell commands, or spawn a reverse shell, which allows the app to elevate its privileges using exploits that are not included in the basic package,” according to Eshed in a blog post outlining the spyware discovery.
The platform behind Exaspy consists of a command-and-control server that monitors and transmits local files (such as emails, photos and videos) and is used to execute the shell commands, according to Skycure. “Exaspy isn’t hiding on the dark web, but it’s still an unknown quantity peddling spyware,” Eshed said. “There is zero confidence that this company can be trusted – never mind with the information it is collecting on its customers’ behalf.”
Key characteristics of the spyware include physical access to the targeted phone for installation. The spyware also requests full admin rights, requires a license number to activate and installs itself as a system package to make its un-installation process harder, according to Skycure.
Eshed said that the app installed itself as Google Services in an attempt to confuse users who might see the process running on their phone as a legitimate Google application. “The app is named ‘Google Services’ and uses the package name ‘com.android.protect.’ This is a clear disguise of Google Play Services,” Eshed wrote.
Other characteristics include communications with servers hosted on Google’s cloud services and downloads from the hard-coded URL “hxxp://www[.]exaspy[.]com.” “Spyware apps for Android and iOS have been around for a long time. However a few high-profile cases seem to indicate a disturbing trend in sophistication and prevalence of attacks on high-profile individuals,” wrote Eshed.
He points out that recent revelations regarding Pegasus iOS spyware used on a human rights advocate illustrate a growing and brazen attitude toward the use of mobile spyware on high-profile targets. Skycure Research Labs said avoidance and mitigation efforts should include PIN code or fingerprint authentication for mobile device access, disabling USB debugging and regularly checking an Android’s Device Administrators list and disable components you don’t trust.