Android spyware BusyGasper exfiltrating data from WhatsApp, Viber, Facebook

A new spyware called BusyGasper, loaded with an unusual set of highly effective features of the spyware, are expert at collecting and exfiltrating data from Android phones

The malware has more than 100 uniquely implemented features like device sensor listeners,  motion detectors, and the ability to detect a user’s command on touch screens.

“BusyGasper is not all that sophisticated but demonstrates some unusual features for this type of threat. From a technical point of view, the sample is a unique spy implant with stand-out features… that have been implemented with a degree of originality,” wrote Kaspersky Lab researcher Alexey Firsh.

 In the blog, the researcher wrote that the malware existed since at least May 2016, but managed to remain underground for a considerable time. However, until now there are less than 10 victims, all based in Russia.

“While looking for the infection vector, we found no evidence of spear-phishing or any of the other common vectors,” Firsh wrote. “But some clues, such as the existence of a hidden menu for operator control, point to a manual installation method – the attackers used physical access to a victim’s device to install the malware.”

The spyware is capable of spying on-device sensors (including motion detectors), exfiltrating data from messaging apps (e.g., WhatsApp, Viber, and Facebook), keylogging, and bypassing the Doze battery saver.

According to the reports, the attacker has coded the spyware as such where the screen of the device assigns a definite and unique value to the layout area of the keyboard. “The listener can operate with only coordinates, so it calculates pressed characters by matching given values with hardcoded ones.”

Leave a Reply