{
	"id": "a5773157-0523-462f-9663-b5d61748a2b7",
	"created_at": "2026-04-06T00:21:31.067663Z",
	"updated_at": "2026-04-10T03:20:03.474324Z",
	"deleted_at": null,
	"sha1_hash": "55e75f0722e983156d8171efd8b99c558cf8d53c",
	"title": "BusyGasper - the unfriendly spy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 571119,
	"plain_text": "BusyGasper - the unfriendly spy\r\nBy Alexey Firsh\r\nPublished: 2018-08-29 · Archived: 2026-04-05 14:19:14 UTC\r\nIn early 2018 our mobile intruder-detection technology was triggered by a suspicious Android sample that, as it\r\nturned out, belonged to an unknown spyware family. Further investigation showed that the malware, which we\r\nnamed BusyGasper, is not all that sophisticated, but demonstrates some unusual features for this type of threat.\r\nFrom a technical point of view, the sample is a unique spy implant with stand-out features such as device sensors\r\nlisteners, including motion detectors that have been implemented with a degree of originality. It has an incredibly\r\nwide-ranging protocol – about 100 commands – and an ability to bypass the Doze battery saver. As a modern\r\nAndroid spyware it is also capable of exfiltrating data from messaging applications (WhatsApp, Viber, Facebook).\r\nMoreover, BusyGasper boasts some keylogging tools – the malware processes every user tap, gathering its\r\ncoordinates and calculating characters by matching given values with hardcoded ones.\r\nThe sample has a multicomponent structure and can download a payload or updates from its C\u0026C server, which\r\nhappens to be an FTP server belonging to the free Russian web hosting service Ucoz. It is noteworthy that\r\nBusyGasper supports the IRC protocol which is rarely seen among Android malware. In addition, the malware can\r\nlog in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a\r\ndevice from email attachments.\r\nThis particular operation has been active since approximately May 2016 up to the present time.\r\nInfection vector and victims\r\nWhile looking for the infection vector, we found no evidence of spear phishing or any of the other common\r\nvectors. But some clues, such as the existence of a hidden menu for operator control, point to a manual installation\r\nmethod – the attackers used physical access to a victim’s device to install the malware. This would explain the\r\nnumber of victims – there are less than 10 of them and according to our detection statistics, they are all located in\r\nthe Russia.\r\nIntrigued, we continued our search and found more interesting clues that could reveal some detailed information\r\nabout the owners of the infected devices. Several TXT files with commands on the attacker’s FTP server contain a\r\nvictim identifier in the names that was probably added by the criminals:\r\nCMDS10114-Sun1.txt\r\nCMDS10134-Ju_ASUS.txt\r\nCMDS10134-Tad.txt\r\nCMDS10166-Jana.txt\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 1 of 18\n\nCMDS10187-Sun2.txt\r\nCMDS10194-SlavaAl.txt\r\nCMDS10209-Nikusha.txt\r\nSome of them sound like Russian names: Jana, SlavaAl, Nikusha.\r\nAs we know from the FTP dump analysis, there was a firmware component from ASUS firmware, indicating the\r\nattacker’s interest in ASUS devices, which explains the victim file name that mentions “ASUS”.\r\nInformation gathered from the email account provides a lot of the victims’ personal data, including messages from\r\nIM applications.\r\nGathered file Type Description\r\nlock Text Implant log\r\nldata sqlite3 Location data based on network (cell_id)\r\ngdata sqlite3 Location data based on GPS coordinates\r\nsdata sqlite3 SMS messages\r\nf.db sqlite3 Facebook messages\r\nv.db sqlite3 Viber messages\r\nw.db sqlite3 WhatsApp messages\r\nAmong the other data gathered were SMS banking messages that revealed an account with a balance of more than\r\nUS$10,000.But as far as we know, the attacker behind this campaign is not interested in stealing the victims’\r\nmoney.\r\nWe found no similarities to commercial spyware products or to other known spyware variants, which suggests\r\nBusyGasper is self-developed and used by a single threat actor. At the same time, the lack of encryption, use of a\r\npublic FTP server and the low opsec level could indicate that less skilled attackers are behind the malware.\r\nTechnical details\r\nHere is the meta information for the observed samples, certificates and hardcoded version stamps:\r\nCertificate MD5 Module Version\r\nSerial Number: 0x76607c02\r\nIssuer: CN=Ron\r\nValidity: from = Tue Aug 30 13:01:30\r\nMSK 2016\r\n9e005144ea1a583531f86663a5f14607 1 –\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 2 of 18\n\nto = Sat Aug 24 13:01:30 MSK 2041\r\nSubject: CN=Ron 18abe28730c53de6d9e4786c7765c3d8 2 2.0\r\nSerial Number: 0x6a0d1fec\r\nIssuer: CN=Sun\r\nValidity: from = Mon May 16 17:42:40\r\nMSK 2016\r\nto = Fri May 10 17:42:40 MSK 2041\r\nSubject: CN=Sun\r\n9ffc350ef94ef840728564846f2802b0 2 v2.51sun\r\n6c246bbb40b7c6e75c60a55c0da9e2f2 2 v2.96s\r\n7c8a12e56e3e03938788b26b84b80bd6 2 v3.09s\r\nbde7847487125084f9e03f2b6b05adc3 2 v3.12s\r\n2560942bb50ee6e6f55afc495d238a12 2 v3.18s\r\nIt’s interesting that the issuer “Sun” matches the “Sun1” and “Sun2” identifiers of infected devices from the FTP\r\nserver, suggesting they may be test devices.\r\nThe analyzed implant has a complex structure, and for now we have observed two modules.\r\nFirst (start) module\r\nThe first module, which was installed on the targeted device, could be controlled over the IRC protocol and enable\r\ndeployment of other components by downloading a payload from the FTP server:\r\n@install command\r\nAs can be seen from the screenshot above, a new component was copied in the system path, though that sort of\r\noperation is impossible without root privileges. At the time of writing we had no evidence of an exploit being used\r\nto obtain root privileges, though it is possible that the attackers used some unseen component to implement this\r\nfeature.\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 3 of 18\n\nHere is a full list of possible commands that can be executed by the first module:\r\nCommand name Description\r\n@stop Stop IRC\r\n@quit System.exit(0)\r\n@start Start IRC\r\n@server Set IRC server (default value is “irc.freenode.net”), port is always 6667\r\n@boss Set IRC command and control nickname (default value is “ISeency”)\r\n@nick Set IRC client nickname\r\n@screen Report every time when screen is on (enable/disable)\r\n@root Use root features (enable/disable)\r\n@timer Set period of IRCService start\r\n@hide Hide implant icon\r\n@unhide Unhide implant icon\r\n@run Execute specified shell\r\n@broadcast Send command to the second module\r\n@echo Write specified message to log\r\n@install Download and copy specified component to the system path\r\nThe implant uses a complex intent-based communication mechanism between its components to broadcast\r\ncommands:\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 4 of 18\n\nApproximate graph of relationships between BusyGasper components\r\nSecond (main) module\r\nThis module writes a log of the command execution history to the file named “lock”, which is later exfiltrated.\r\nBelow is a fragment of such a log:\r\nLog with specified command\r\nLog files can be uploaded to the FTP server and sent to the attacker’s email inbox. It’s even possible to send log\r\nmessages via SMS to the attacker’s number.\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 5 of 18\n\nAs the screenshot above shows, the malware has its own command syntax that represents a combination of\r\ncharacters while the “#” symbol is a delimiter. A full list of all possible commands with descriptions can be found\r\nin Appendix II below.\r\nThe malware has all the popular capabilities of modern spyware. Below is a description of the most noteworthy:\r\nThe implant is able to spy on all available device sensors and to log registered events. Moreover, there is a\r\nspecial handler for the accelerometer that is able to calculate and log the device’s speed:\r\nThis feature is used in particular by the command “tk0” that mutes the device, disables keyguard, turns off\r\nthe brightness, uses wakelock and listens to device sensors. This allows it to silently execute any backdoor\r\nactivity without the user knowing that the device is in an active state. As soon as the user picks up the\r\ndevice, the implant will detect a motion event and execute the “tk1” and “input keyevent 3” commands.\r\n“tk1” will disable all the effects of the “tk0” command, while “input keyevent 3” is the shell command that\r\nsimulates the pressing of the ‘home’ button so all the current activities will be minimized and the user\r\nwon’t suspect anything.\r\nLocation services to enable (GPS/network) tracking:\r\nThe email command and control protocol. The implant can log in to the attackers email inbox, parse emails\r\nfor commands in a special “Cmd” folder and save any payloads to a device from email attachments.\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 6 of 18\n\nAccessing the “Cmd” folder in the attacker’s email box\r\nMoreover, it can send a specified file or all the gathered data from the victim device via email.\r\nEmergency SMS commands. If an incoming SMS contains one of the following magic strings: ”\r\n2736428734″ or ” 7238742800″ the malware will execute multiple initial commands:\r\nKeylogger implementation\r\nKeylogging is implemented in an original manner.\r\nImmediately after activation, the malware creates a textView element in a new window with the following layout\r\nparameters:\r\nAll these parameters ensure the element is hidden from the user.\r\nThen it adds onTouchListener to this textView and is able to process every user tap.\r\nInterestingly, there is an allowlist of tapped activities:\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 7 of 18\n\nui.ConversationActivity\r\nui.ConversationListActivity\r\nSemcInCallScreen\r\nQuadrapop\r\nSocialPhonebookActivity\r\nThe listener can operate with only coordinates, so it calculates pressed characters by matching given values with\r\nhardcoded ones:\r\nAdditionally, if there is a predefined command, the keylogger can make a screenshot of the tapped display area:\r\nManual access and operator menu\r\nThere is a hidden menu (Activity) for controlling implant features that looks like it was created for manual\r\noperator control. To activate this menu the operator needs to call the hardcoded number “9909” from the infected\r\ndevice:\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 8 of 18\n\nA hidden menu then instantly appears on the device display:\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 9 of 18\n\nThe operator can use this interface to type any command for execution. It also shows a current malware log.\r\nInfrastructure\r\nFTP server\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 10 of 18\n\nThe attackers used ftp://213.174.157[.]151/ as a command and control server. The IP belongs to the free Russian\r\nweb hosting service Ucoz.\r\nFiles Description\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 11 of 18\n\nCMDS*.txt Text files with commands to execute\r\nsupersu.apk\r\nSuperSU (eu.chainfire.supersu, https://play.google.com/store/apps/details?\r\nid=eu.chainfire.supersu) tool\r\n246.us\r\nus.x\r\nSuperSU ELF binaries\r\nsupersu.cfg\r\nsupersu.cfg.ju\r\nsupersu.cfg.old\r\nSuperSU configs with spyware implant mention\r\nbb.txt BusyBox v1.26.2 ELF file\r\nbdata.xml\r\nConfig file for excluding malware components from Android battery saver\r\nfeature Doze\r\nbdatas.apk Main implant module\r\ncom.android.network.irc.apk Start implant module\r\nMobileManagerService.apk ASUS firmware system component (clean)\r\nmobilemanager.apk Corrupted archive\r\nprivapp.txt\r\nLooks like a list of system applications (including spyware components) from\r\nthe infected device\r\nrun-as.x\r\nrun-as.y\r\nRun-as tool ELF file\r\nSuperSU config fragment for implant components and the busybox tool supersu.cfg:\r\nThis config allows the implant to use all root features silently.\r\nContent of bdata.xml file:\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 12 of 18\n\nIt can be added to the /system/etc/sysconfig/ path to allowlist specified implant components from the battery\r\nsaving system.\r\nEmail account\r\nA Gmail account with password is mentioned in the sample’s code:\r\nIt contains the victim’s exfiltrated data and “cmd” directory with commands for victim devices.\r\nAppendix I: Indicators of compromise\r\nMD5\r\n9E005144EA1A583531F86663A5F14607\r\n18ABE28730C53DE6D9E4786C7765C3D8\r\n2560942BB50EE6E6F55AFC495D238A12\r\n6C246BBB40B7C6E75C60A55C0DA9E2F2\r\n7C8A12E56E3E03938788B26B84B80BD6\r\n9FFC350EF94EF840728564846F2802B0\r\nBDE7847487125084F9E03F2B6B05ADC3\r\nC2\r\nftp://213.174.157[.]151/\r\nAppendix II: List of all possible commands\r\nThese values are valid for the most recently observed version (v3.18s).\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 13 of 18\n\nDecimal Char Description\r\n33 ! Interrupt previous command execution\r\n36 $ Make a screenshot\r\n48 0\r\nExecute following shell: rm c/*; rm p/*; rm sdcard/Android/system/tmp/r/* (wipe\r\nenvironment paths?)\r\n63 ? Log device info and implant meta information\r\n66(98) B(b) Broadcast specified command to another component\r\n67(99) C(c) Set specified command on timer to execute\r\nDebug\r\n68(100)\r\n65(97)\r\nD(d)\r\nA(a)\r\nLog last 10 tasks by getRecentTasks api\r\n68(100)\r\n83(115)\r\nD(d)\r\nS(s)\r\nLog info about device sensors (motion, air temperature and pressure, etc.)\r\n68(100)\r\n84(116)\r\nD(d)\r\nT(t)\r\nLog stack trace and thread information\r\nGPS module\r\n101 e Broadcast command to GPS-tracking external component\r\n71(103) G(g) Location tracking GPS/network\r\nInteraction with operators\r\n73(105) 102\r\n114\r\nI(i) f r Get specified file from FTP (default – CMDS file with commands)\r\n73(105) 102\r\n115\r\nI(i) f s Upload exfiltrated data\r\n73(105)\r\n73(105)\r\nI(i) I(i) Start/stop IRC service\r\n73(105)\r\n76(108)\r\nI(i) L(l) Send current location to IRC\r\n73(105)\r\n77(109)\r\nI(i)\r\nM(m)\r\nPush specified message to IRC\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 14 of 18\n\n73(105)\r\n82(114)\r\nI(i)\r\nR(r)\r\nRead commands from the email inbox\r\n73(105)\r\n83(115)\r\nI(i) S(s) Send specified file or all gathered data in email with UID as a subject\r\nNetwork geolocation\r\n76(108) L(l) Get info on current cell_id\r\nCamera features\r\n77(109) 99 M(m) c Capture photo\r\n77(109) 108 M(m) l Log information about available cameras\r\n77(109) 114\r\n97\r\nM(m) r\r\na\r\nStart/stop audio recording (default duration – 2 minutes)\r\n77(109) 114\r\n98\r\nM(m) r\r\nb\r\nStart/stop audio recording with specified duration\r\n77(109) 114\r\n44(114)\r\nM(m) r\r\n,(r)\r\nStart fully customizable recording (allow to choose specific mic etc.)\r\n77(109) 114\r\n115\r\nM(m) r\r\ns\r\nStop previous recording\r\n77(109) 114\r\n116\r\nM(m) r\r\nt\r\nSet recording duration\r\n77(109) 118 M(m) v Capture video with specified duration and quality\r\nCommon\r\n79(111) 102 O(o) f Hard stop of implant services, unregister receivers\r\n79(111) 110 O(o) n Start main implant service with all components\r\n80(112) P(p) Find specified images and scale them with “inSampleSize” API\r\n81(113) Q(q) Stop main implant service\r\n82(114) R(r) Execute specified shell command\r\nShared preferences setup\r\n83(115) 33 S(s) ! On/off hidden operator activity\r\n83(115) 61 S(s) = Shared preferences control (set/remove specified value)\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 15 of 18\n\n83(115) 98 S(s) b On/off sending SMS message after device boot\r\n83(115) 99 S(s) c Put boolean value in shared preference “cpyl”\r\n83(115) 100 S(s) d Put boolean value in shared preference “dconn”\r\n83(115) 101 S(s) e On/off periodically reenabling data connectivity\r\n83(115) 102 S(s) f Set GPS location update period\r\n83(115) 105 S(s) i Put boolean value in shared preference “imsg”\r\n83(115) 108\r\n97\r\nS(s) l a On/off foreground process activity logging\r\n83(115) 108\r\n99\r\nS(s) l c Start watching on captured photos and videos\r\n83(115) 108\r\n102\r\nS(s) l f Start watching on Facebook messenger database changes\r\n83(115) 108\r\n108\r\nS(s) l l On/off browser history logging\r\n83(115) 108\r\n116\r\nS(s) l t Start watching on Telegram messenger cache database changes\r\n83(115) 108\r\n118\r\nS(s) l v Start watching on Viber messenger database changes\r\n83(115) 108\r\n119\r\nS(s) l w Start watching on WhatsApp messenger database changes\r\n83(115) 109 S(s) m On/off sending log SMS messages\r\n83(115)\r\n110(112)\r\nS(s)\r\no(p)\r\nSet operator telephone number (for SMS logging)\r\n83(115) 113 S(s) q Set implant stop-mode (full or only main service)\r\n83(115) 114 S(s) r On/off execution shell as root\r\n83(115) 115 S(s) s On/off screen state logging\r\n83(115) 116 S(s) t On/off screen touches logging and number of related screenshots\r\n83(115) 117 S(s) u On/off debug logging mode with system thread info\r\n83(115) 120 S(s) x Use FTP connection via busybox or default Socket API\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 16 of 18\n\nSensor and display control\r\n84(116) 98 T(t) b On/off screen brightness\r\n84(116) 100 T(t) d On/off network data (internet)\r\n84(116)\r\n75(107) 48\r\nT(t)\r\nK(k) 0\r\nMute, turn off brightness, disable keyguard, use wakelock and listen on device\r\nsensors.\r\n84(116)\r\n75(107) 49\r\nT(t)\r\nK(k) 1\r\nDisable features from previous command\r\n84(116)\r\n75(107) 50\r\nT(t)\r\nK(k) 2\r\nDisable Keyguard instance\r\n84(116)\r\n75(107) 51\r\nT(t)\r\nK(k) 3\r\nWrite “userActivity” to log\r\n84(116) 115\r\n48\r\nT(t) s 0 Disable sensor listener\r\n84(116) 115\r\n49\r\nT(t) s 1 Register listener for specified sensor\r\n84(116) 115\r\n108\r\nT(t) s l Log int value from file /dev/lightsensor\r\n84(116) 119\r\n48\r\nT(t) w\r\n0\r\nTurn WiFi off\r\n84(116) 119\r\n49\r\nT(t) w\r\n1\r\nTurn WiFi on\r\n84(116) 119\r\n108\r\nT(t) w l Control WiFi lock\r\nCommon backdoor commands\r\n85(117) U(u)\r\nDownload payload, remount “system” path and push payload there. Based on the\r\ncode commentaries, this feature might be used to update implant components\r\n87(119) W(w) Send SMS with specified text and number\r\nUpdates from the newest version\r\n122 33 z ! Reboot device\r\n122 99 z c Dump call logs\r\n122 102 z f p Send gathered data to FTP\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 17 of 18\n\n122 102 z f g Get CMDS* text file and execute contained commands\r\n122 103 z g Get GPS location (without log, only intent broadcasting)\r\n122 108 102 z l f Dump Facebook messages during specified period\r\n122 108 116 z l t Dump Telegram cache\r\n122 108 118 z l v Dump Viber messages during specified period\r\n122 108 119 z l w Dump WhatsApp messages during specified period\r\n122 110 z n Get number of all SMS messages\r\n122 111 z o Set ringer mode to silent\r\n122 112 z p Open specified URL in webview\r\n122 114 z r Delete all raw SMS messages\r\n122 116 z t Set all internal service timers\r\n122 122 z z Remove shared preferences and restart the main service\r\n126 ~ On/off advanced logging mode with SMS and UI activity\r\nSource: https://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nhttps://securelist.com/busygasper-the-unfriendly-spy/87627/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/busygasper-the-unfriendly-spy/87627/"
	],
	"report_names": [
		"87627"
	],
	"threat_actors": [],
	"ts_created_at": 1775434891,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55e75f0722e983156d8171efd8b99c558cf8d53c.pdf",
		"text": "https://archive.orkl.eu/55e75f0722e983156d8171efd8b99c558cf8d53c.txt",
		"img": "https://archive.orkl.eu/55e75f0722e983156d8171efd8b99c558cf8d53c.jpg"
	}
}