Government Malware Going by the Name of Exodus Has Affected Thousands of Users

News just in; security experts have just discovered a new government spyware called Exodus which infiltrates user software using the Google Play Store.

The Security without Borders organization has a team of dedicated security researchers and advisors who conducted an analysis of this threat. It was revealed through this organization that this government spyware hides within the Google Play Store and has been able to infect hundreds of people who use the platform.

The malware has been named Exodus, after the command and control servers with which it is connected. For months, the malware worked to infiltrate user devices without detection and the worst part is that it’s not the first of its kind. There have been similar cases of malicious code that’s purposefully hidden within the Google Play Store apps because it’s a widely used platform.

According to the research data, over 20 malicious apps were running for over two years in the Google Play marketplace. Motherboard further reports that the Android surveillance malware was sold by a surveillance camera manufacturer to the Italian government. Interestingly enough, this manufacturer is not a well-known malware producer and this was the first surveillance software that was connected to it.

Researcher reveals that the main targets of this surveillance operation were innocent users who had no idea that they were playing a part in spreading this malware. This is plausible when you consider how poorly developed the spyware is.

It all started with the upload of previously unknown spyware apps onto the Google Play Store. The curious thing is that this happened multiple times over the last two years and these apps would often be re-uploaded every few months even though they were on the platform for years. The malware mainly targeted users in the Italian market.

Once tracked, the malware was shown to have a similar disguise in all instances. They would often be disguised as apps that were being disseminated by unknown Italian mobile operators. The attack would start with the victim receiving an SMS with a description of the app, urging them to download it from the Google Play Store. The Google Play decoy pages were all written in Italian and have been fully identified as such.

Part of what made the Exodus surveillance malware so effective was the fact that it was hidden in plain sight and looked just like any other app that’s meant to promote cell phone deals. In most cases, the app was advertised as something that would improve the users’ mobile device performance.


As soon as the researchers revealed their findings to Google, the tech giant instantly removed the affected apps and later revealed that they discovered 25 unique variations of the spyware in two years.

Most of 1,000 users who were affected by the spyware came from Italy and according to Google, the malware operates in two stages. Stage 1 involves infecting the device with malicious code in order to get the user’s IMEI and phone number. The hackers also used the “CheckValidTarget” function to find specific users to target.

However, this function wasn’t that effective because in most cases the malware infected users whom the hackers didn’t intend to infect.

Researchers state that their tests showed that the spyware jumped onto the second stage right after check-ins which means that the Command and Control operators were imposing target validation. Within a few days, the experts say the infected test device wasn’t disinfected as expected, even though it didn’t meet the target criteria.

In any case, the second stage of the Exodus malware involves stealing the user’s sensitive data including their browsing history, phone calls, private audio recordings, calendar information, text messages, WhatsApp chats, Facebook Messenger logs, and other important data.

Not only that but research data shows that the spyware can also create a backdoor escape route on the infected device which gives it access to other users who may be connected to the same Wi-Fi network as the targeted device.

Unless the mobile operator uses client isolation technology to keep user accounts separate, the infected devices can also infect other users on the network as well. This opens up the device to data tampering on top of the compromised security that it has experienced.

Security without Borders researchers say that the malware’s author came from an Italian company known as eSurv. The company’s location has been traced to the south of Italy in a city known as Catanzaro.

Apparently, the authors left behind two strings on the malware code, namely; “RINO GATTUSO” and “mundizza.” The word “mundizza” means “garbage” and comes from a dialect of the Italian language that’s commonly used in South Calabria. Meanwhile, Rino Gattuso is a well-known Italian footballer who comes from Calabria (surprise, surprise).

Experts also discovered overlapping infrastructure between a TLS certificate, the C2 server shares, and eSurv surveillance cameras.

According to the researchers, there are other spyware samples that are able to communicate with an eSurv server, and Google later confirmed that the servers did indeed belong to eSurv, and this information was corroborated by a Trail of Bits researcher who was responsible for reviewing a technical report on the spyware.

spyware proof

We didn’t stop there, however, as we went on to request comment from the eSurv company but we were met with a firm “no comment.”

But then we came across an online document that was published according to Italian government spending transparency law, and it stated that eSurv was awarded a tender from the State Police department to develop a “passive and active interception system.” As such, the government paid eSurv €307,439.90 for its services on November 6th, 2016. This is according to a report by Motherboard.