June 7, 2019

eSurvAgent RTD

Discovered By
Lookout
Entry Type
Security Guidance
Threat Type
Surveillanceware
Platform(s) Affected
iOS
Platform(s) Affected
Android
Threat Type
Malware
Platform(s) Affected
Lookout
Security Guidance
Surveillanceware
iOS
Android
Malware

How Lookout Detects and Protects Against Threats like eSurvAgent

Lookout Security Intelligence teams are continuously discovering and researching new threats to protect and advise our customers by combining static and dynamic analysis with our machine learning engine. We classified the eSurvAgent as surveillanceware when it it started to use HTTPS pinning, asymmetric encryption used for C2 traffic tunneled through HTTPS, and GUIDs being used for all parts of API endpoint URLS and directory paths. Devices with Lookout installed have detected and alerted to eSurvAgent since March 2018. Lookout also protects against other sophisticated surveillanceware that could go undetected.

Key Facts

  • Appears to have been created for the lawful intercept market
  • Works by abusing Apple's enterprise app provisioning system.
  • Functionality is controlled through push payloads, so an attacker can specify what data is to be retrieved

Background and Discovery Timeline

Early in 2018, Lookout investigated eSurvAgent, a sophisticated Android surveillanceware agent with links to an Italian company called eSurv, formerly known as Connexxa. Also known as Exodus, the agent seems to have been under development for at least five years and is a multi-stage threat with a dropper, a large second stage payload, and a final stage to obtain root access to the device. Recently, Lookout researchers uncovered the iOS component of the same threat, which was delivered to users through phishing sites that imitated customer support sites. Furthermore, through the abuse of Apple’s enterprise provisioning system, eSurv applications were signed with legitimate Apple-issued certificates.

Capabilities and Affected Parties

The iOS variant contained a subset of the functionality the Android releases offered and did not have full capabilities to exploit a device. However, this version was still able to take advantage of Apple’s certification process to appear legitimate and deploy on iOS devices to exfiltrate the following types of data:

Contacts | Photos | GPS Location | Audio Recordings | Videos | Device information

The software was discovered on phishing sites that imitated Italian and Turkmenistani mobile carriers, as well as in the Italian Play Store. It has since been removed from official Play store and Apple has revoked the appropriate certificates.

How Lookout Detects and Protects Against Threats like eSurvAgent

Lookout Security Intelligence teams are continuously discovering and researching new threats to protect and advise our customers by combining static and dynamic analysis with our machine learning engine. We classified the eSurvAgent as surveillanceware when it it started to use HTTPS pinning, asymmetric encryption used for C2 traffic tunneled through HTTPS, and GUIDs being used for all parts of API endpoint URLS and directory paths. Devices with Lookout installed have detected and alerted to eSurvAgent since March 2018. Lookout also protects against other sophisticated surveillanceware that could go undetected.

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats

New

September 22, 2023

iOS 16.6.1 and iOS 17.0

Apple recently released two software updates for iOS and iPad OS for vulnerabilities that can form an exploit chain and are also known to install Predator spyware.

September 15, 2023

Scattered Spider

September 19, 2023

CVE-2023-4863