We identified the Overseer malware in an application that claimed to provide search capabilities for specific embassies in different geographical locations.
Through close collaboration with an enterprise customer, Lookout identified Overseer, a piece of spyware we found in four apps live on the Google Play store. One of the apps was an Embassy search tool intended to help travelers find embassies abroad. The malware was also injected as a trojan in Russian and European News applications for Android.
Google promptly removed the four affected apps after Lookout notified the company. All Lookout customers are protected from this threat.
Current variants of Overseer are capable of gathering and exfiltrating the following information:
- A user’s contacts, including name, phone number, email and times contacted
- All user accounts on a compromised device
- Basestation ID, latitude, longitude, network ID, location area code
- Names of installed packages, their permissions, and whether they were sideloaded
- Free internal and external memory
- Device IMEI, IMSI, MCC, MNC, phone type, network operator, network operator name, device manufacturer, device ID, device model, version of Android, Android ID, SDK level and build user
- Whether a device has been rooted in one of several ways
Targets and cloaking techniques
Overseer interested us for a few reasons. First, it targets foreign travelers, with its core functionality of searching for the embassies’ locations. For example, enterprise executives could be impacted by Overseer if they had downloaded the Embassy app during business travel.
Second, its command and control (CNC or C2) uses Facebook’s Parse Server, hosted on Amazon Web Services. By using the Facebook and Amazon services, the spyware makes use of HTTPS and a CNC residing in the United States on a popular cloud service. This allows it to remain hidden because it doesn’t cause Overseer’s network traffic to stand out and could potentially present a challenge for traditional network-based IDS solutions to detect.
Exfiltration of data
Devices infected with Overseer periodically beacon to the api.parse.com domain, checking whether there are any outstanding commands the attacker wants to run. Depending on the response, the malware is capable of exfiltrating a significant amount of information from an infected device. These communications are all encrypted over the wire, which hides the traffic from network security solutions.
Overseer gathers and exfiltrates a range of metadata in addition to personally identifiable information from infected devices.
This spyware also hides in news apps
We found more apps in the Play Store also infected with the Overseer malware. Many of these are news apps with relatively low download numbers and reviews that appear to be fake. This indicates that these apps were created for the purpose of distributing Overseer.
Other applications that contained Overseer were predominantly news focused. Many of the reviews appear to be posted by fake accounts.
The following hashes are of Android applications known to contain the Overseer malware. 7297578462bc15d5da80a2f4bc95b519cb241dd6
b7d3b2cc8cb629612f77e513825c10e18ff11ba7
c55c93185ecd4c6f67a1cbecfc721f702165c8f0
3ed6aa4b23d3f57d5477d0c0d1bfab58467118d8
5e2e212d56260520e64738f6e49d9d3af3931ded
f8eac0c983d2c13683a88cd945a0e3f012172587
b6261f8dbf67ca71de0ca4d09e9cbbc66f82e1e0
8016b89849a188a045c91d0b20189309ff3642e4
465be5445f7a606e230e016f75d4b704e7affe07
8f7d2dc4d5628c55e135ec3805bad5a73d50e05b
07917353689e536bcce42e4bc1231ff74a273e31
96282b5a173cbd048c7da598f48160dde53a06ff