A report by Vice News [1] published last week points to a report made by the cybersecurity group Security Without Borders [2] about Android malware that disguises itself as innocuous apps on Google’s Play Store. While disguising malicious software as harmless applications is not a technique that is new [3], the article published by Vice News suggests that this latest disguised malware seems to have been created for an Italian government entity.
The malware is known as ‘Exodus’, and works by tricking unsuspecting victims into downloading it by masquerading as useful apps like memory cleaners and performance boosters. Exodus works in a two-stage attack: device identification and data tampering.
In the first stage of the attack, Exodus obtains the host device’s unique IMEI and phone number of its SIM card, and sends it to a ‘command and control server’. Interestingly, Vice News comments that this stage of device identification may be used to perform legal hacking operations in cases where a court order was obtained [4]. Security Without Borders identified the functions of Exodus that performs this identification as being named ‘CheckValidTarget’.
However, they discovered that this function did not properly check if infected devices were intended targets or not, and proceeded to the data tampering stage of the malware for all infected devices immediately after improperly passing the checking stage. In the second stage, Exodus downloads a .ZIP file from the ‘command and control server’ which contains a class file named ‘mike.jar’ that contains the data collection and exfiltration software capabilities for the malware application. After downloading ‘mike.jar’, the malware is now able to use a smartphone’s microphone to record surrounding audio and phone calls, extract call logs, take screenshots, retrieve SMS messages, extract photos, GPS coordinates, and logs from the device, and much more. The data collected by this malware is then sent back to the ‘command and control server’.
Security Without Borders investigated the IP address of the ‘command and control server’ and discovered that it belonged to an Italian firm called ‘eServ’. A reverse IP lookup of the address that the malware used revealed overlapping infrastructure with eServ, based in Catanzaro, Italy. It was discovered that the favicon that the ‘command and control server’ used was identical to the ones that eServ used for its websites for its networked camera business, and corresponded to public descriptions of work made by eServ’s employees online. When Vice News reached out to eServ, they declined to comment.
Vice News also explains that in some European countries, legal hacking is allowed in cases where a court order is issued against a target to permit the installation of software similar to Exodus to enable law enforcement to obtain evidence of a person’s activities on their smartphone. However, it seems like the faulty ‘CheckValidTarget’ class is causing Exodus to incorrectly install on non-targeted smartphones. Vice also states that in 2017, Italy passed a law to permit the use of spyware in law enforcement [5].
What do you think?
- What are your thoughts on the ability of government to install spyware under the premise of law enforcement?
- How do you make sure your phone does not contain malware?
- What kinds of apps do you download on your phone? How do you know they are trustworthy?
- How often do you check the permissions of the apps installed on your phone?
- Do you believe that eServ should be punished for not checking targets properly?
Let us know what you think about this article and your responses to our questions in the comments below!
For more information, check out these articles:
Spyware Disguises as Android Applications on Google Play [TrendMicro]
Mobile Malware [Wikipedia]
7 Things You Need to Know About Smartphone Malware [Inc]
Meet the malware which turns your smartphone into a mobile proxy [ZDNet]
Disclaimer: The views and opinions expressed in this article are those of the author and do not constitute legal or financial advice.
Always do your own research to make informed decisions.
Edited by: Elyse Hill
People said…