Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0655: BusyGasper

BusyGasper is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.[1]

MobileS0655MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

BusyGasper is an Android spyware entry in ATT&CK with a small reported victim set and infections described as requiring physical access to the device. Its significance is not broad-scale prevalence; it is the kind of mobile compromise that can matter greatly for executives, administrators, investigators, or other high-value users because the related behaviors include audio, video, screen, location, SMS, call, local data, and keystroke collection.

Executive priority

Treat this as a targeted mobile risk and custody-control problem rather than a commodity malware volume problem. Leaders should ask whether high-risk Android devices are inventoried, physically protected, permission-governed, and covered by mobile telemetry sufficient to support incident response and audit evidence. The business concern is exposure of sensitive communications, credentials, location, and meetings from a device that may otherwise look normal to the user.

Technical view

ATT&CK provides no official detection text for BusyGasper, so defenders should validate coverage against the related Android behaviors: runtime code download, access to stored application and local system data, keylogging, microphone/camera/screen capture, location tracking, SMS and call control, Unix shell use, icon suppression/user evasion, out-of-band communication, unencrypted exfiltration, and potential system binary modification. SOC and IR teams should focus on correlating unusual permission combinations, hidden or hard-to-remove applications, unexpected SMS/call/network activity, local data access, and signs of rooted or otherwise tampered devices.

Likely telemetry

  • Android device and application inventory, including package metadata and install history
  • Application permission grants for microphone, camera, location, SMS, phone, screen capture, accessibility, and keyboard-related capabilities
  • MDM/mobile security alerts for hidden applications, suppressed launcher icons, risky permissions, or policy violations
  • Network telemetry from mobile devices, especially unencrypted outbound protocols and unusual web-service communication patterns
  • SMS, call, and notification access indicators where legally and operationally available

Detection direction

  • Because MITRE provides no BusyGasper-specific detection, build behavior-based validation around the mapped techniques rather than relying on a malware name alone.
  • Prioritize correlation: a single permission such as location or microphone may be legitimate, but combinations of SMS control, call control, media capture, hidden icon behavior, runtime code download, and suspicious network activity should raise priority.
  • Tune against approved business applications, accessibility tools, mobile device management agents, communication apps, and support tools to reduce false positives.
  • Account for blind spots in BYOD, unmanaged Android devices, devices without mobile EDR/MDM, and telemetry that cannot observe SMS, calls, screen capture, or local storage access.
  • Include physical-access scenarios in triage: review custody history and recent hands-on support events when a high-risk Android device shows suspicious spyware-like behavior.

Mitigation priorities

  • Start with physical and administrative controls for high-risk Android devices: strong screen locks, controlled support handling, and documented chain-of-custody for executive or sensitive-user devices.
  • Use mobile device management or equivalent governance to maintain app inventory, enforce baseline configuration, and review high-risk permissions.
  • Limit installation of untrusted or unnecessary applications and validate apps that request sensitive permissions such as SMS, phone, microphone, camera, location, accessibility, or screen capture.
  • Prepare IR procedures for mobile spyware cases, including isolation, evidence preservation, review of sensitive accounts used on the device, and secure re-provisioning when compromise is suspected.
  • For compliance evidence, retain records showing managed-device coverage, permission review, device inventory, and response actions for high-risk mobile users.
Analyst notes and limits

The most important decision value is the combination of physical-access infection reporting and broad surveillance behaviors. This makes BusyGasper most relevant to targeted mobile security, executive protection, insider/physical custody concerns, and IR readiness for Android devices rather than general malware prevalence tracking.

The supplied ATT&CK object does not include official detection guidance, aliases, labels, or tactics. Victim information is limited to the official description and one external SecureList reference. Local device telemetry, MDM coverage, legal constraints, and business-approved app baselines are required before assessing exposure or detection coverage.

Official MITRE ATT&CK definition

BusyGasper

BusyGasper is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

18 rows
Domain ID Name Relationship / procedure
Mobile T1645 Compromise Client Software Binary

BusyGasper can abuse existing root access to copy components into the system partition.CitationSecureList BusyGasper
Mobile T1639.001 Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique

BusyGasper can download text files with commands from an FTP server and exfiltrate data via email.CitationSecureList BusyGasper
Mobile T1481.002 Bidirectional Communication Sub-technique

BusyGasper can be controlled via IRC using freenode.net servers.CitationSecureList BusyGasper
Mobile T1533 Data from Local System

BusyGasper can collect images stored on the device and browser history.CitationSecureList BusyGasper
Mobile T1628.001 Suppress Application Icon Sub-technique

BusyGasper can hide its icon.CitationSecureList BusyGasper
Mobile T1623.001 Unix Shell Sub-technique

BusyGasper can run shell commands.CitationSecureList BusyGasper
Mobile T1417.001 Keylogging Sub-technique

BusyGasper can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.CitationSecureList BusyGasper
Mobile T1429 Audio Capture

BusyGasper can record audio.CitationSecureList BusyGasper
Mobile T1616 Call Control

BusyGasper can open a hidden menu when a specific phone number is called from the infected device.CitationSecureList BusyGasper
Mobile T1512 Video Capture

BusyGasper can record from the device’s camera.CitationSecureList BusyGasper
Mobile T1407 Download New Code at Runtime

BusyGasper can download a payload or updates from either its C2 server or email attachments in the adversary’s inbox.CitationSecureList BusyGasper
Mobile T1430 Location Tracking

BusyGasper can collect the device’s location information based on cellular network or GPS coordinates.CitationSecureList BusyGasper
Mobile T1636.004 SMS Messages Sub-technique

BusyGasper can collect SMS messages.CitationSecureList BusyGasper
Mobile T1628.002 User Evasion Sub-technique

BusyGasper can utilize the device’s sensors to determine when the device is in use and subsequently hide malicious activity. When active, it attempts to hide its malicious activity by turning the screen’s brightness as low as possible and muting the device.CitationSecureList BusyGasper
Mobile T1582 SMS Control

BusyGasper can send an SMS message after the device boots, messages containing logs, messages to adversary-specified numbers with custom content, and can delete all SMS messages on the device.CitationSecureList BusyGasper
Mobile T1644 Out of Band Data

BusyGasper can perform actions when one of two hardcoded magic SMS strings is received.CitationSecureList BusyGasper
Mobile T1513 Screen Capture

BusyGasper can use its keylogger module to take screenshots of the area of the screen that the user tapped.CitationSecureList BusyGasper
Mobile T1409 Stored Application Data

BusyGasper can collect data from messaging applications, including WhatsApp, Viber, and Facebook.CitationSecureList BusyGasper
Relationship explorer

All related ATT&CK context

uses · Technique T1645: Compromise Client Software Binary Mobile uses · Technique T1639.001: Exfiltration Over Unencrypted Non-C2 Protocol Mobile uses · Technique T1481.002: Bidirectional Communication Mobile uses · Technique T1533: Data from Local System Mobile uses · Technique T1628.001: Suppress Application Icon Mobile uses · Technique T1623.001: Unix Shell Mobile uses · Technique T1417.001: Keylogging Mobile uses · Technique T1429: Audio Capture Mobile uses · Technique T1616: Call Control Mobile uses · Technique T1512: Video Capture Mobile uses · Technique T1407: Download New Code at Runtime Mobile uses · Technique T1430: Location Tracking Mobile uses · Technique T1636.004: SMS Messages Mobile uses · Technique T1628.002: User Evasion Mobile uses · Technique T1582: SMS Control Mobile uses · Technique T1644: Out of Band Data Mobile uses · Technique T1513: Screen Capture Mobile uses · Technique T1409: Stored Application Data Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
83106e6111112b29...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 83106e611111…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    SecureList BusyGasper

    Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.

    Open source URL
  2. [2]
    mitre-attack S0655
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use