We identified the Overseer malware in an application that claimed to provide search capabilities for specific embassies in different geographical locations.
Through close collaboration with an enterprise customer, Lookout identified Overseer, a piece of spyware we found in four apps live on the Google Play store. One of the apps was an Embassy search tool intended to help travelers find embassies abroad. The malware was also injected as a trojan in Russian and European News applications for Android.
Google promptly removed the four affected apps after Lookout notified the company. All Lookout customers are protected from this threat.
Current variants of Overseer are capable of gathering and exfiltrating the following information:
- A user’s contacts, including name, phone number, email and times contacted
- All user accounts on a compromised device
- Basestation ID, latitude, longitude, network ID, location area code
- Names of installed packages, their permissions, and whether they were sideloaded
- Free internal and external memory
- Device IMEI, IMSI, MCC, MNC, phone type, network operator, network operator name, device manufacturer, device ID, device model, version of Android, Android ID, SDK level and build user
- Whether a device has been rooted in one of several ways
Targets and cloaking techniques
Overseer interested us for a few reasons. First, it targets foreign travelers, with its core functionality of searching for the embassies’ locations. For example, enterprise executives could be impacted by Overseer if they had downloaded the Embassy app during business travel.
Second, its command and control (CNC or C2) uses Facebook’s Parse Server, hosted on Amazon Web Services. By using the Facebook and Amazon services, the spyware makes use of HTTPS and a CNC residing in the United States on a popular cloud service. This allows it to remain hidden because it doesn’t cause Overseer’s network traffic to stand out and could potentially present a challenge for traditional network-based IDS solutions to detect.
Exfiltration of data
Devices infected with Overseer periodically beacon to the api.parse.com domain, checking whether there are any outstanding commands the attacker wants to run. Depending on the response, the malware is capable of exfiltrating a significant amount of information from an infected device. These communications are all encrypted over the wire, which hides the traffic from network security solutions.
Overseer gathers and exfiltrates a range of metadata in addition to personally identifiable information from infected devices.
This spyware also hides in news apps
We found more apps in the Play Store also infected with the Overseer malware. Many of these are news apps with relatively low download numbers and reviews that appear to be fake. This indicates that these apps were created for the purpose of distributing Overseer.
Other applications that contained Overseer were predominantly news focused. Many of the reviews appear to be posted by fake accounts.
The following hashes are of Android applications known to contain the Overseer malware. 7297578462bc15d5da80a2f4bc95b519cb241dd6