An ongoing mobile spyware campaign was uncovered that is using a family of 23 malicious Android apps to spy on South Korean residents in an attempt to extract sensitive information and gain remote control of the devices.
“With more than a thousand South Korean victims, the malicious group behind this invasive campaign had access to all data, communications and services on their devices,” said Zimperium researcher Aazim Yaswant. “The victims gave their private information to the malicious actors with no indication that anything was wrong.”
The Dallas-based mobile security company named the campaign “PhoneSpy”.
Zimperium did not attribute the spyware to any known threat actor. “The evidence surrounding PhoneSpy shows a familiar framework that has been passed down for years, updated by individuals, and shared in private communities and back-channels until it is put together into what we see today in this variant,” Richard Melick, Director of Product Strategy for Endpoint Security, said The Hacker News.
It turns out that the rogue apps masquerade as seemingly innocuous lifestyle utilities ranging from learning yoga and browsing photos to watching TV and videos, with the malware artifacts not on the Google Play Store or other unofficial third-party app marketplaces, implying a social engineering or web traffic redirection method to entice users to download the apps.
Once installed, the application requests a variety of permissions before opening a phishing site similar to the login pages of popular apps like Facebook, Instagram, Google, and Kakao Talk. However, users attempting to log in are greeted with an HTTP 404 Not Found message, but in reality their credentials are stolen and exfiltrated to a remote command and control server (C2).
“Many of the applications are facades of a real app without the advertised user-based functionality,” explains Yaswant. “In some other cases, such as simpler apps that advertise photo viewers, the app works as advertised while the PhoneSpy spyware works in the background.”
Like other Trojans, PhoneSpy abuses its firmly anchored permissions so that the attacker can access the camera to take pictures, record video and audio, get an exact GPS location, display pictures from the device and extract SMS messages, contacts, call logs , and even send text messages to the phone with attacker-controlled text. The collected data is then shared with the C2 server.
“Mobile spyware is an incredibly powerful and effective weapon against the data we hold in our hands. As our phones and tablets continue to turn to digital wallets and ID cards, forms of multi-factor authentication, and keys to data realm for our professional and personal lives, the malicious actors who want that very data will find new ways to steal it, “said Melick.
“PhoneSpy and other examples of mobile spyware show that these toolsets and frameworks can be broken and rebuilt over and over with updated code and capabilities, giving attackers the upper hand for businesses spying on the competition as most of these critical devices don’t are surrounded by advanced security. “
[ad_1]
