BusyGasper
BusyGasper is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1409 | Access Stored Application Data |
BusyGasper can collect data from messaging applications, including WhatsApp, Viber, and Facebook.[1] |
|
| Mobile | T1438 | Alternate Network Mediums |
BusyGasper can download text files with commands from an FTP server and exfiltrate data via email. It can also perform actions when one of two hardcoded magic SMS strings is received.[1] |
|
| Mobile | T1616 | Call Control |
BusyGasper can open a hidden menu when a specific phone number is called from the infected device.[1] |
|
| Mobile | T1429 | Capture Audio |
BusyGasper can record audio.[1] |
|
| Mobile | T1512 | Capture Camera |
BusyGasper can record from the device’s camera.[1] |
|
| Mobile | T1412 | Capture SMS Messages |
BusyGasper can collect SMS messages.[1] |
|
| Mobile | T1605 | Command-Line Interface |
BusyGasper can run shell commands.[1] |
|
| Mobile | T1533 | Data from Local System |
BusyGasper can collect images stored on the device and browser history.[1] |
|
| Mobile | T1407 | Download New Code at Runtime |
BusyGasper can download a payload or updates from either its C2 server or email attachments in the adversary’s inbox.[1] |
|
| Mobile | T1417 | Input Capture |
BusyGasper can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.[1] |
|
| Mobile | T1430 | Location Tracking |
BusyGasper can collect the device’s location information based on cellular network or GPS coordinates.[1] |
|
| Mobile | T1400 | Modify System Partition |
BusyGasper can abuse existing root access to copy components into the system partition.[1] |
|
| Mobile | T1513 | Screen Capture |
BusyGasper can use its keylogger module to take screenshots of the area of the screen that the user tapped.[1] |
|
| Mobile | T1582 | SMS Control |
BusyGasper can send an SMS message after the device boots, messages containing logs, messages to adversary-specified numbers with custom content, and can delete all SMS messages on the device.[1] |
|
| Mobile | T1508 | Suppress Application Icon |
BusyGasper can hide its icon.[1] |
|
| Mobile | T1618 | User Evasion |
BusyGasper can utilize the device’s sensors to determine when the device is in use and subsequently hide malicious activity. When active, it attempts to hide its malicious activity by turning the screen’s brightness as low as possible and muting the device.[1] |
|
| Mobile | T1481 | Web Service |
BusyGasper can be controlled via IRC using freenode.net servers.[1] |
|