Trusted Design

Exodus: New Android Spyware Made in Italy

概要

Security Without Borders identified a new Android spyware platform we named Exodus, which is composed of two stages we call Exodus One and Exodus Two. We have collected numerous samples spanning from 2016 to early 2019. Instances of this spyware were found on the Google Play Store, disguised as service applications from mobile operators. Both the Google Play Store pages and the decoys of the malicious apps are in Italian. According to publicly available statistics, as well as confirmation from Google, most of these apps collected a few dozens installations each, with one case reaching over 350. All of the victims are located in Italy. All of these Google Play Store pages have been taken down by Google. Security Without Borders believes this spyware platform is developed by an Italian company called eSurv, which primarily operates in the business of video surveillance. According to public records it appears that eSurv began to also develop intrusion software in 2016.

Created: 2026-02-23

Indicators

• hostname - ad1.fbsba.com -
• hostname - attiva.exodus.esurv.it -
• FileHash-SHA256 - e3f65f84dd6c2c3a5a653a3788d78920c0321526062a6b53daaf23fa57778a5f -
• FileHash-SHA256 - 8453ce501fee1ca8a321f16b09969c517f92a24b058ac5b54549eabd58bf1884 -
• FileHash-SHA256 - 48a7dd672931e408662d2b5e1abcd6ef00097b8ffe3814f0d2799dd6fd74bd88 -
• FileHash-SHA256 - 13ec6cec511297ac3137cf7d6e4a7c4f5dd2b24478a06262a44f13a3d61070b6 -
• FileHash-SHA256 - 70e2eea5609c6954c61f2e5e0a3aea832d0643df93d18d7d78b6f9444dcceef0 -
• FileHash-SHA256 - 26fef238028ee4b5b8da631c77bfb44ada3d5db8129c45dea5df6a51c9ea5f55 -
• FileHash-SHA256 - 11499ff2418f4523344de81a447f6786fdba4982057d4114f64db929990b4b59 -
• FileHash-SHA256 - 4f6146956b50ae3a6e80a1c1f771dba848ba677064eb0e166df5804ac2766898 -
• FileHash-SHA256 - 824ad333320cbb7873dc49e61c14f749b0e0d88723635524463f2e6f56ea133a -
• FileHash-SHA256 - a42a05bf9b412cd84ea92b166d790e8e72f1d01764f93b05ace62237fbabe40e -
• FileHash-SHA256 - 011b6bcebd543d4eb227e840f04e188fb01f2335b0b81684b60e6b45388d3820 -
• FileHash-SHA256 - 5db49122d866967295874ab2c1ce23a7cde50212ff044bbea1da9b49bb9bc149 -
• FileHash-SHA256 - 0f5f1409b1ebbee4aa837d20479732e11399d37f05b47b5359dc53a4001314e5 -
• FileHash-SHA256 - b46f282f9a1bce3798faee3212e28924730a657eb93cda3824c449868b6ee2e7 -
• FileHash-SHA256 - 33a9da16d096426c82f150e39fc4f9172677885cfeaedcff10c86414e88be802 -
• FileHash-SHA256 - e0acbb0d7e55fb67e550a6bf5cf5c499a9960eaf5f037b785f9004585202593b -
• FileHash-SHA256 - 00c787c0c0bc26caf623e66373a5aaa1b913b9caee1f34580bdfdd21954b7cc4 -
• FileHash-SHA256 - 3c9f08b3280851f54414dfa5a57f40d3b7be7b73736fa0ba21b078e75ce54d33 -
• FileHash-SHA256 - db59407f72666526fca23d31e3b4c5df86f25eff178e17221219216c6975c63f -
• FileHash-SHA256 - 34d000ee1e36efd10eb37e2b79d69249d5a85682a61390a89a1b9391c46bf2ba -
• FileHash-SHA256 - 64c11fdb317d6b7c9930e639f55863df592f23f3c7c861ddd97048891a90c64b -
• FileHash-SHA256 - a37f5d2418c5f2f64d06ba28fe62edee1293a56158ddfa9f04020e316054363f -
• FileHash-SHA256 - 47449a612697ad99a6fbd6e02a84e957557371151f2b034a411ebb10496648c8 -
• FileHash-SHA256 - 80810a8ec9624f317f832ac2e212dba033212258285344661e5da11b0d9f0b62 -
• FileHash-SHA256 - 3ee3a973c62ba5bd9eab595a7c94b7a26827c5fa5b21964d511ab58903929ec5 -
• FileHash-SHA256 - 2055584625d24687bd027a63bc0b8faa7d1a854a535de74afba24840a52b1d2f -
• hostname - ws.my-local-weather.com -
• FileHash-SHA256 - c228a534535b22a316a97908595a2d793d0fecabadc32846c6d1bfb08ca9a658 -

類似Pulses

• Trojan-Banker.AndroidOS.Faketoken follow-up (score: 0.67)
• Spyware Disguises as Android Applications on Google Play (score: 0.66)
• Spyware on google play store (score: 0.65)
• Exaspy – Commodity Android Spyware Targeting High-level Executives (score: 0.63)
• ZBot Malware (score: 0.60)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る