Italian surveillance company spies spyware secretly in the Google play store

On April 3, Researchers found unknown spyware in Google Play Store, the official app for Google. Interestingly, the spyware has no contact with the National Security Agency (NSA), but rather with the Italian government that bought surveillance cameras.

The software, a joint investigation by researchers at Motherboard and Security Without Borders, found that it was the first time security researchers had been exposed to malware generated by surveillance companies, known As ESURV.

According to a technical report of the survey released by security Without Borders last Friday, eSurv was found to have uploaded to the Google Play store several times in two years and re-uploaded after months in the Play store.

Motherboard said it initially inferred that the malicious program was from the Italian government and was purchased from the company that sold the surveillance cameras. Because of the Italian text fragments found in the code in eSurv, such as the dialect word “Mundizza” from Calabria, and the name of RINO GATTUSO, a prominent retired footballer from Calabria (this is the area where eSurv is located).

ESurv calls malware, Exodus, after issuing connection commands and controlling the server, the exodus has two pairs of faces. Ostensibly disguised as harmless applications, perform promotional and marketing services to receive local Italian mobile phone providers or provide the ability to optimize device performance. Data is collected secretly, and the information collected includes applications that users have installed, browsing history, contacts, text messages, location data, Wi-Fi passwords, and so on. This information is collected and packaged and sent to the control server, which is easily accessible to the operator behind it.

Even scarier, Exodus can activate cameras and microphones to capture audio and video and take screenshots of the app as it is used.

In addition, Exodus contains a function called “CheckValidTarget”, which is said to “verify” the target of a new infection. But the researchers said that because the malware was immediately activated on the recorder phone they were using, there was not much “verification” going on and remained active throughout the testing process.

More interestingly, the Exodus code does not take protective measures. Means the spyware opens a remote command shell on an infected phone but does not use any encryption or authentication, so anyone on the same Wi-Fi network as an infected device can hack it. For example, if an infected device is connected to a public Wi-Fi network or any other host can simply connect to the port without any form of validation.

In other words, spyware can not only spy on user data but also indirectly cause it to be tampered with.

spyware in Google Play Store

In fact, Google play is exposed to hidden malware almost every once in a while, and for GooglePlay users, it seems to have become accustomed:

In January 2018, Trend Micro researchers found 36 malicious applications on Google play, some of which were even used as security tools;

In February 2018, Google announced the deletion of more than 700,000 bad APPS in 2017, preventing developers of 100,000 malicious applications from sharing malware;

In May 2018, SophosLabs discovered that the photo editor app hides malware on Google play;

In December 2018, Sophos researchers again discovered malware that downloaded files without the user’s permission and eventually ran out of power on the user’s phone. In the end, the Google Play store has 22 malware on the shelves;

In February 2019, researchers discovered a malware called “Clipper” in Google’s official app, Google Play. The malware automatically intercepts the contents of the Clipboard and replaces it with offensive content. In the case of cryptographic currency transactions, the affected user may end up quietly switching the copied wallet address to the attacker’s address.

Source: Leiphone

For those who want to know more:


We will be happy to hear your thoughts

Leave a reply

Register New Account
Reset Password
Compare items
  • Total (0)