BusyGasper is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.[1]

ID: S0655
Platforms: Android
Version: 1.0
Created: 01 October 2021
Last Modified: 14 October 2021

Techniques Used

Domain ID Name Use
Mobile T1409 Access Stored Application Data

BusyGasper can collect data from messaging applications, including WhatsApp, Viber, and Facebook.[1]

Mobile T1438 Alternate Network Mediums

BusyGasper can download text files with commands from an FTP server and exfiltrate data via email. It can also perform actions when one of two hardcoded magic SMS strings is received.[1]

Mobile T1616 Call Control

BusyGasper can open a hidden menu when a specific phone number is called from the infected device.[1]

Mobile T1429 Capture Audio

BusyGasper can record audio.[1]

Mobile T1512 Capture Camera

BusyGasper can record from the device’s camera.[1]

Mobile T1412 Capture SMS Messages

BusyGasper can collect SMS messages.[1]

Mobile T1605 Command-Line Interface

BusyGasper can run shell commands.[1]

Mobile T1533 Data from Local System

BusyGasper can collect images stored on the device and browser history.[1]

Mobile T1407 Download New Code at Runtime

BusyGasper can download a payload or updates from either its C2 server or email attachments in the adversary’s inbox.[1]

Mobile T1417 Input Capture

BusyGasper can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.[1]

Mobile T1430 Location Tracking

BusyGasper can collect the device’s location information based on cellular network or GPS coordinates.[1]

Mobile T1400 Modify System Partition

BusyGasper can abuse existing root access to copy components into the system partition.[1]

Mobile T1513 Screen Capture

BusyGasper can use its keylogger module to take screenshots of the area of the screen that the user tapped.[1]

Mobile T1582 SMS Control

BusyGasper can send an SMS message after the device boots, messages containing logs, messages to adversary-specified numbers with custom content, and can delete all SMS messages on the device.[1]

Mobile T1508 Suppress Application Icon

BusyGasper can hide its icon.[1]

Mobile T1618 User Evasion

BusyGasper can utilize the device’s sensors to determine when the device is in use and subsequently hide malicious activity. When active, it attempts to hide its malicious activity by turning the screen’s brightness as low as possible and muting the device.[1]

Mobile T1481 Web Service

BusyGasper can be controlled via IRC using freenode.net servers.[1]