BusyGasper can record audio.^[1]

BusyGasper can open a hidden menu when a specific phone number is called from the infected device.^[1]

BusyGasper can run shell commands.^[1]

BusyGasper can abuse existing root access to copy components into the system partition.^[1]

BusyGasper can collect images stored on the device and browser history.^[1]

BusyGasper can download a payload or updates from either its C2 server or email attachments in the adversary’s inbox.^[1]

BusyGasper can download text files with commands from an FTP server and exfiltrate data via email.^[1]

BusyGasper can hide its icon.^[1]

BusyGasper can utilize the device’s sensors to determine when the device is in use and subsequently hide malicious activity. When active, it attempts to hide its malicious activity by turning the screen’s brightness as low as possible and muting the device.^[1]

BusyGasper can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.^[1]

BusyGasper can collect the device’s location information based on cellular network or GPS coordinates.^[1]

BusyGasper can perform actions when one of two hardcoded magic SMS strings is received.^[1]

BusyGasper can collect SMS messages.^[1]

BusyGasper can use its keylogger module to take screenshots of the area of the screen that the user tapped.^[1]

BusyGasper can send an SMS message after the device boots, messages containing logs, messages to adversary-specified numbers with custom content, and can delete all SMS messages on the device.^[1]

BusyGasper can collect data from messaging applications, including WhatsApp, Viber, and Facebook.^[1]

BusyGasper can record from the device’s camera.^[1]

BusyGasper can be controlled via IRC using freenode.net servers.^[1]