Exodus, as the malware for Android phones has been dubbed, was under development for at least five years. It was spread in apps disguised as service applications from Italian mobile operators. Exodus was hidden inside apps available on phishing websites and nearly 25 apps available in Google Play. In a report published two weeks ago, researchers at Security without Borders said Exodus infected phones estimated to be in the "several hundreds if not a thousand or more."
Exodus consisted of three distinct stages. The first was a small dropper that collected basic identifying information about the device, such as the IMEI and phone number, and sent it to a command-and-control server. A second stage was installed almost immediately after the researchers’ test phone was infected with the first stage and also reported to a control server. That led researchers to believe all phones infected with stage one are indiscriminately infected with later stages.
Stage two consisted of multiple binary packages that implemented the bulk of the advanced surveillance capabilities. Some of the variants encrypted communications with self-signed certificates that were pinned to the apps. The binaries could also take advantage of capabilities available on specific devices. For instance, one binary made use of “protectedapps,” a feature in Huawei phones, to keep Exodus running even when the screen went dark, rather than be suspended to reduce battery consumption.