BusyGasper Malware Packs a Simple but Potent Punch

A small malware campaign is leveraging spyware called BusyGasper, which is highly effective at collecting data on Android phones and exfiltrating it. The malware is unsophisticated, but loaded with 100 uniquely implemented features ranging from device sensor listeners, motion detectors and the ability to process a user’s screen taps.

The mobile malware was identified by researchers at Kaspersky Lab in early 2018 and is believed to have been active since May 2016. The location of the malware author is unknown; however, the FTP server used as the hacker’s command-and-control (C2) is located on the free Russian web hosting service Ucoz. Researchers also made a Russian connection based on victim names (Jana, SlavaAl, Nikusha) found on files recovered by researchers on the FTP server.

“BusyGasper is not all that sophisticated, but demonstrates some unusual features for this type of threat. From a technical point of view, the sample is a unique spy implant with stand-out features… that have been implemented with a degree of originality,” wrote Alexey Firsh, a cyber-threat researcher at Kaspersky Lab, in a technical write-up describing the malware posted on Wednesday.

Noteworthy aspects of the malware include the fact it supports the IRC protocol, something rarely seen among Android malware, Firsh said. Also of interest, the malware can be directed to log into the “attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments.”

Lastly, researchers noted that the attackers have developed a novel implementation of a keylogger based on screen taps. According to the Kaspersky report, the attacker has mapped device screens assigning values to the layout area of the keyboard. “The listener can operate with only coordinates, so it calculates pressed characters by matching given values with hardcoded ones,” according to the report.

Interestingly, researchers said the infection sample detected was tiny, only about 10 devices. The infection vector is also believed to be “manual” – meaning physical access to the device.

“While looking for the infection vector, we found no evidence of spear-phishing or any of the other common vectors,” the researcher wrote. “But some clues, such as the existence of a hidden menu for operator control, point to a manual installation method – the attackers used physical access to a victim’s device to install the malware.”

The targeted devices are mostly ASUS hardware running the Android OS. The malware author also appears to be somewhat of a rookie based on a lack of encryption used to protect communications and the fact a public FTP server was used as the C2.

A teardown of the malware revealed two modules. Module one (“implant”) is installed on the device (likely manually) and allows the attacker to issue instructions to the malware via the IRC protocol, such as a command to download the payload (BusyGasper) from the FTP server.

“The implant uses a complex, intent-based communication mechanism between its components to broadcast commands,” Firsh said.

Module two adds exponentially more functionality, including the ability to trigger commands remotely to the phone. An attacker can send “magic” number text messages that trigger actions.

“If an incoming SMS contains one of the following magic strings: ‘2736428734’ or ‘7238742800’ the malware will execute multiple initial commands along with the ability to exfiltrate data,” the researcher wrote.

One clever implementation also includes monitoring a device’s sensors, such as the accelerometer.

“This feature is used in particular by the command ‘tk0’ that mutes the device, disables keyguard, turns off the brightness, uses wakelock and listens to device sensors. This allows it to silently execute any backdoor activity without the user knowing that the device is in an active state. As soon as the user picks up the device, the implant will detect a motion event and execute the ‘tk1’ and ‘input keyevent 3’ commands,” the researcher said.

BusyGasper also has special commands that allow it to target apps such as Facebook, Telegram, WhatsApp and Viber. The spyware also can be instructed to dump WhatsApp or Facebook “messages during specified period” from the targeted device’s cache.