We are entering a new era of mobile threats as Android spyware evolves to become a commodity product. What that means is that you no longer need deep technical expertise to hack into someone’s mobile device. The spyware attackers need is now available online for easy purchase and use, similar to the tools available for running DDoS attacks against websites. This is a significant step in the evolution of mobile malware, and one which will make proactive mobile threat defense for IT that much more crucial.

Background
Last month, Skycure Research Labs detected a fake app within one of our customer’s target organizations, identified through our crowd-sourced intelligence policies (whereby anyone running the Skycure mobile app acts as a threat detecting sensor). This customer is a global technology company, which deployed Skycure’s Enterprise Mobile Threat Defense solution for all iOS and Android devices within their organization. This incident happened on an Android 6.0.1 device, owned by one of the company’s Vice Presidents. The customer has given us approval to share some of the details about the Spyware app that Skycure discovered.

Screenshot of the main screen of Exaspy. This is what a user will see when he launches the
app for the first time, before hiding the app and installing it as a system package.

What we found
The victim’s Android device was infected with a malicious app, identified as Exaspy, which is a commercial Android spyware package that gives an attacker access to a lot of the victim’s data, which includes:

1. Chats and messages: SMS, MMS, Facebook Messenger, Google Hangouts, Skype,
   Gmail, native email client, Skype, Viber, WhatsApp and more.
2. Audio: Ability to record audio it captures in the background or while on telephone calls.
3. Pictures: Access to your picture library, but also the ability to take secret screenshots of
   your device.
4. History: Collect contact lists, calendars, browser history, call logs, and more.

The CNC (command and control) server is able to perform requests of its own, which include:

1. Monitor and transmit local files, such as photos and videos taken.
   1. Execute shell commands, or spawn a reverse shell, which allows the app to elevate
      its privileges using exploits that are not included in the basic package.
      The potential damage to the end user here is huge, which makes the compounded risk to an enterprise significantly worse. Here are just a few of the scenarios an enterprise could face with a malicious mobile app like this running on their mobile devices:
      ● Collection of confidential company information , which might include financial
      information, intellectual property, product information, stealth recordings of confidential meetings, and more.
      ● Having the attacker blackmail the enterprise into paying large sums of money to
      prevent leaking the information obtained.

How it works
Based on Skycure Research Labs dissection of the Exaspy malware, we’ve been able to
identify some key characteristics about how the malware operates. Interestingly, this malware actually requires an end user to perform the initial installation steps, meaning physical access to the device is required at installation time. Here is how the app installs itself when it runs for the first time:

1. Malware requests access to device admin rights
2. Asks (nicely) for a license number
3. Hides itself1
4. Requests access to root (if the device is rooted and managed through popular rooting
   apps ). Once granted, it installs itself as a system 2 package to make its uninstallation process harder.

Note that although root access may be refused by the SU manager (such as
SuperSU), once CNC connection is initiated, the server can send a root exploit to
perform this itself.

Once the app is successfully installed, it runs on the mobile device in the following manner:

1. The app is named “Google Services” and uses the package name “com.android.protect”.
   1. This is a clear disguise of Google Play Services , a popular suite of APIs Android
      apps can utilize for enriching their apps (push notifications, maps, etc).
2. The app communicates with the following servers:
   1. hxxps://api.andr0idservices.com (130.211.9.2003, Conveniently hosted
      in Google Cloud)
   2. Downloads updates from the hard-coded URL
      hxxp://www.exaspy.com/a.apk
3. The app will automatically hide itself from the launcher (by disabling its main activity
   component).
4. The app will disable Samsung’s SPCM service and com.samsung.android.smcore 4
5. package so it can run in the background without Samsung’s service killing it.
   5. The app will also install itself as a system package to prevent removal by the user.

Why is this interesting?
Spyware apps for Android and iOS have been around for a long time. However a few
high-profile cases seem to indicate a disturbing trend in sophistication and prevalence of attacks on high-profile individuals. Note the recent Pegasus Spyware used on an Emirates human rights advocate by his government, and the attacks on Democratic party officials’ mobile phones.

Classic anti-malware products still don’t do a good job of detecting them. The classic approach requires creating a signature for every new family of malware. This signature might be a string within the executable, a linked library or a compiled code sample.

Creating such signatures requires a manual inspection of the sample and this is why traditional anti-virus and anti-malware software solutions need frequent updating, take a lot of time to run, and don’t always succeed.

Another approach involves executing an app in a sandbox (dynamic analysis) which can detect parts of these threats. As we’ve shown in AppSecEU 16, though, malicious apps can easily leave malicious code out when a sandbox is detected.

In this case, data gathered from Skycure’s crowd-sourced intelligence apparatus showed this app as an anomaly. IT administrators should be aware of the great number of Spyware apps attackers can purchase easily online for using these kinds of attacks.

How do I protect myself and my end users?

1. To protect against attacks that require physical access to your device:
   a. Set up PIN codes and fingerprint authentication
   b. Disable USB debugging
   c. Make sure OEM Unlocking is turned off
2. Regularly check Android’s Device Administrators list and disable components you don’t
   trust
3. Install Skycure’s Mobile Threat Defense solution, which protects users against these and
   other kinds of threats
4. Avoid downloading apps from untrusted stores
5. Don’t give special permissions to apps that shouldn’t require them

Conclusion
Mobile attacks used to require a special level of skill which made them more rare, but in today’s market it is easy for anyone to pay their way to being a threat. The Exaspy malware, which we have outlined above, is just one of those packages that IT professionals need to defend against. And that defense is more crucial than ever when you consider statistics like:

• The average cost of a data breach is four million dollars, according to IBM
• 27% of users are running a mobile OS that is outdated, according to Skycure’s quarterly mobile threat report
• 45% of mobile devices will face a network attack within the first 4 months of monitoring,
  also according to Skycure’s quarterly threat report

When you add up these stats and combine it with threats like Exaspy, it’s clear that IT has to be proactive in today’s mobile market. It only takes malware on one user’s device to put the entire organization at risk. We encourage all IT professionals to read more on how you can leverage platforms like Skycure’s Enterprise Mobile Threat Defense solution to keep user’s safe.

Technical details
Here are some additional technical details that may help IT professionals identify this app in their organization:

Known hashes:
● 9725c1bf9483ff41f226f22bd331387c187e9179
● c4826138e07636af1eeb6008e580704575ec1bc7
● 4bf89c3bf4fb88ad6456fe5642868272e4e2f364
● c4826138e07636af1eeb6008e580704575ec1bc7
● f1fbebc2beafe0467ee00e69b3f75719cdbbd693

Package names:
● com.android.protect

Public key information:
● Subject: /O=Exaspy/OU=Exaspy/CN=Exaspy
● Fingerprint: c5c82ecf20af94e0f2a19078b790d843 4ccedb59

1. To show the hidden app, a user should dial ‘11223344’
2. SuperSU, kingouser, SuperUser by noshufou
3. An IP belonging to 130.211.8.0/21, listed under _cloud netblocks4.googleusercontent.com
4. BuildProp.setProp(“sys.config.spcm_enable”, “false”);
BuildProp.setProp(“sys.config.spcm_gcm_kill_enable”, “false”);
5. This is done by executing pm disable com.samsung.android.smcore via a root shell.