Exaspy

Exaspy is a spyware package that targets high-value company executives using the Android operating system. Physical access to the target device is required for installation of the package com.android.protect and, once installed, it masquerades as a bogus app named “Google Services.” It then establishes communication with its C2 server and downloads updates from the hard-coded URL www[.]exaspy[.]com/a.apk. Exaspy, hides itself from the launcher, and disables Samsung’s SPCM service and com.samsung.android.smcore package to prevent its process from being terminated. Once Exaspy is running on the device, it can access nearly everything on the victim’s device including SMS messages, various chat applications, email clients, calendars, contact lists, call logs, browser history, videos and photo libraries. It can also take screen captures and record audio from telephone calls and ambient sound picked up by the device’s microphone. Its connection to the C2 server allows for the monitoring and transmission of local files, privilege escalation, and the remote execution of shell commands. To protect Android devices against this attack, enable PIN code or fingerprint authentication, disable USB debugging, and disable the OEM unlocking feature. Users should be suspicious of any app requesting excessive permissions and never download apps outside authorized app stores.

Reporting

  • November 2016: Commodity ‘Exaspy’ Spyware Found Targeting High-Level Execs (Threatpost)
     
  • November 2016: Exaspy is reported as being sold as a $15/month turnkey service by its developers. (Skycure)

Technical Details

  • Skycure Research Labs discovered Exaspy in September 2016 and provides technical details on the spyware package here.