Government Spyware Hidden in Google Play Store Apps (Apr 2, 2019)
Security researchers have discovered applications in the Google Play store that contain spying malware (spyware), according to Motherboard reporters. Motherboard believes that the malware is attributable to the Italian government, which reportedly purchased the spyware from a surveillance company called “eSurv.” Security Without Borders researchers claim that the malware, dubbed “Exodus,” has never been previously identified and is attributed to eSurv via a dialect Italian word and the name of a retired footballer, “RINO GATTUSO,” both of which come from the same region where eSurv is based. The Exodus malware works in two stages. The first stage consists of the malware masquerading as an application that receives “promotions and marketing offers from local Italian cell phone providers or that claim to improve the device’s performance.” The first stage will also load the second stage that is responsible for collecting data and sending it back to a Command and Control (C2) server. Exodus is capable of gathering application passwords, browsing history, contacts lists from other applications, text messages, and Wi-fi passwords.
Recommendation: Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended. Furthermore, this story shows the potential of malicious applications bypassing the security measures of application stores and therefore it is crucial that all permissions of an applications be examined prior to download.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.