Date:02/04/19
The non-profit security organization Security Without Borders (SWB) has identified a campaign utilizing Italian-language service applications from mobile operators apps that instead of doing their stated function are in fact spyware.
The groups report stated that dozens of infected apps had been found in the Google Play store with a possible download total in the thousands. The spyware is quite invasive copying and eventually extracting not only the phone’s data, but information from the other apps on the device. This includes Facebook contact lists, Facebook Messenger, Telegram, WeChat and WhatApp among many others.
The organization, which dubbed the malware Exodus, said it has been operating since 2016. Google has been informed and has removed the apps, but the malicious actors behind the campaign have been known to re-establish them on Google Play. Google confirmed to SWB that about 25 variants of Exodus have been found and removed.
An attack takes place in two stages. After an infected app is downloaded the first stage, dubbed Exodus 1, grabs the device’s basic info, such as the phone number, to validate the target. Stage two has Exodus 1 dynamically load and execute the primary stage 2 payload.
“Of the various binaries downloaded, the most interesting are null, which serves as a local and reverse shell, and rootdaemon, which takes care of privilege escalation and data acquisition. rootdaemon will first attempt to jailbreak the device using a modified version of the DirtyCow exploit,” the report stated.
The stolen data is temporarily stored on the device’s SD card for eventual downloading by the command and control server.
Massively invasive Italian spyware campaign found on Google Play
The non-profit security organization Security Without Borders (SWB) has identified a campaign utilizing Italian-language service applications from mobile operators apps that instead of doing their stated function are in fact spyware.The groups report stated that dozens of infected apps had been found in the Google Play store with a possible download total in the thousands. The spyware is quite invasive copying and eventually extracting not only the phone’s data, but information from the other apps on the device. This includes Facebook contact lists, Facebook Messenger, Telegram, WeChat and WhatApp among many others.
The organization, which dubbed the malware Exodus, said it has been operating since 2016. Google has been informed and has removed the apps, but the malicious actors behind the campaign have been known to re-establish them on Google Play. Google confirmed to SWB that about 25 variants of Exodus have been found and removed.
An attack takes place in two stages. After an infected app is downloaded the first stage, dubbed Exodus 1, grabs the device’s basic info, such as the phone number, to validate the target. Stage two has Exodus 1 dynamically load and execute the primary stage 2 payload.
“Of the various binaries downloaded, the most interesting are null, which serves as a local and reverse shell, and rootdaemon, which takes care of privilege escalation and data acquisition. rootdaemon will first attempt to jailbreak the device using a modified version of the DirtyCow exploit,” the report stated.
The stolen data is temporarily stored on the device’s SD card for eventual downloading by the command and control server.
Views: 490
©ictnews.az. All rights reserved.
Similar news
- Cellphone Use May Raise Cancer Risk
- Australian police pushes cyber safety education
- Vietnam aims to lead in e-government
- Senate Website Gets Hacked
- US builds net for cyber war games
- Japan enacts anti-computer virus law
- India passes law vs e-waste
- Anonymous Declares War On The City Of Orlando
- Microsoft highlights evolving dangers as online identity data proliferates
- Consumers want internet security to be provided by banks
- Government facilities targets of cyber attack
- South Korean web attacks might been war drill
- Sri Lanka to Establish National Passport Database to Increase Border Security
- Hi-tech crime agencies set to employ information security professionals
- Phone hacking and online campaign bring down the News of the World
