Fake service applications in Italian from mobile operators were found to be invasive spyware after successfully bypassing Google Play Store’s filters, according to a group of researchers from non-profit security organization Security Without Borders (SWB). The large campaign of disguised spyware infected the store and stayed there for months in a “case of lawful intercept gone wrong,” writes Motherboard.
The spyware had “extensive collection and interception capabilities” that “might expose the infected devices to further compromise or data tampering.”
Google took down the infected pages after it was notified. Google investigated the platform and found 25 variants had been uploaded. The company did not say how many devices were infected, but it said one of the apps had 350 installations.
Dubbed Exodus, the Android spyware platform was allegedly created by Italian video surveillance company eSurv, and operated in two stages: Exodus One and Exodus Two.
“Of the various binaries downloaded, the most interesting are null, which serves as a local and reverse shell, and rootdaemon, which takes care of privilege escalation and data acquisition. rootdaemon will first attempt to jailbreak the device using a modified version of the DirtyCow exploit,” the report stated.
The team collected samples dating from between 2016 and 2019, which means the malware had been in the store for at least 3 years. “Most of these apps collected a few dozen installations each, with one case reaching over 350. All of the victims are located in Italy,” researchers said.
Motherboard claims the company sold the malware to the Italian government.