On April 3, the researchers found an unknown spyware on Google’s official Google Play Store. Interestingly, this spyware has no connection with the National Security Agency (NSA) but instead has a relationship with the Italian government that bought the surveillance camera. A joint investigation by researchers at Motherboard and Security Without Borders found that this is the first time a security researcher has come across a malware generated by a surveillance company called eSurv.
According to the technical report of the survey released by Security Without Borders on Friday, it was found that eSurv was uploaded to the Google Play store multiple times in two years and re-uploaded after several months in the Play Store.
Motherboard said that they initially inferred that the malicious program came from the Italian government and was purchased from a company that sells surveillance cameras. Its inference came from the Italian text fragment found in the code in eSurv, such as the dialect word “mundizza” from Calabria, and the name of the famous retired football player RINO GATTUSO from Calabria (this is where eSurv is located).
eSurv calls the malware, Exodus, after issuing the connect command and controlling the server. Exodus has two faces. Apparently pretending to be a harmless application, it performs promotional and marketing services from local Italian mobile phone providers or provides features that optimize device performance. Data collection is performed in secret, and the collected information includes user-installed applications, browsing history, contacts, SMS, location data, Wi-Fi passwords, and so on. This information is collected, packaged and sent to the control server, where it can be easily retrieved by the handler of the server.
Even more frightening is that Exodus can also activate the camera and microphone to capture audio and video, and take a screenshot of the application while in use. In addition, Exodus includes a function called “CheckValidTarget” that is said to “verify” the target of a new infection. More interestingly, the Exodus code did not take protective measures. This means that the spyware opens a remote command shell on the infected phone, but does not use any encryption or authentication, so anyone with the infected device on the same Wi-Fi network can hack it. For example, if an infected device is connected to a public Wi-Fi network, any other host can simply connect to the port without any form of authentication. In other words, this spyware can not only snoop on user data, but it may also indirectly cause the data to be tampered with.
In fact, almost every time Google Play is exposed to hidden malware, it seems to have become accustomed to Google Play users:
In January 2018, Trend Micro researchers discovered 36 malicious applications on Google Play, and some were even used as security tools;
In February 2018, Google announced the removal of more than 700,000 bad apps in 2017, preventing developers of 100,000 malicious apps from sharing malware;
In May 2018, SophosLabs discovered that some photo editor apps hide malware on Google Play;
In December 2018, Sophos researchers again discovered a malware that downloaded files without the user’s permission and eventually drained the user’s phone. Finally, 22 pieces of malware were removed from the Google Play store;
In February 2019, researchers discovered a piece of malware called “clipper” on Google Play Store. The malware automatically intercepts the contents of the clipboard and replaces it with offensive content. In the case of cryptocurrency transactions, the affected user may eventually switch the copied wallet address to the attacker’s address…