PhoneSpy spyware is currently targeting Android users in South Korea through third-party platforms.
Zimperium zLabs researchers have revealed findings on PhoneSpy spyware that can infiltrate Android handsets and is spread through malicious applications. For now, the good news is that the malicious apps are not available on Google Play Store.
“Samples of PhoneSpy were not found in any Android app store, indicating that attackers are using distribution methods based on web traffic redirection or social engineering,” researchers noted.
SEE: Dark web hackers selling 400,000 South Korean & US payment card data
The malware is developed with advanced obfuscation and concealment capabilities. Once it is downloaded on a device, it can hide its icon and remain undetected, uninstall mobile security software, and gather extensive personal and corporate data from the victim, including private photos and communications.
23 Malicious Apps Discovered
On Wednesday, zLabs published its report on the nefarious activities of PhoneSpy spyware operators. Reportedly, the researchers have identified 23 malicious applications hiding the spyware and distributed through third-party platforms. The infected apps include photo collection apps, TV/Video streaming software, browsing utilities, and yoga instruction software.
Campaign Targets South Korean Citizens
The campaign is mainly targeting Android users in South Korea. According to zLabs researchers, the campaign’s initial infection vector is nothing unique as, like every other campaign, it also uses phishing links to trap unsuspecting users. The links are posted on social media channels or splashed over websites claiming to be sent by a famous Korean service, the Kakao Talk messaging app.
How does the Attack Works?
When the victim installs and runs the APK file of the downloaded app, instead of running the app’s software, it will deploy PhoneSpy.
“After installation and launch, the app displays a login page and attempts to steal the credentials for “Kakao,” which can be used to login into other services in South Korea with the Single-Sign-On feature,” the report read.
It then asks for selected permissions, after which it becomes easier for the malicious software to steal data from the device, such as user credentials.
Malware Capabilities
Researchers described PhoneSpy as an ‘advanced’ RAT (Remote Access Trojan). They can perform various functions, from surveillance of victims’ activities and exfiltrating device information to transmitting data to the C2 server.
Furthermore, the malware can monitor the victim’s location through GPS, hijack mobile microphones and cameras (both front and rear) to record audio conversations, videos, and images, intercept and steal SMS, call log, contact list, and contact forwarding, and even send messages on behalf of the attacker.
The full list of PhoneSpy’s capabilities include:
- Stealing credentials using phishing
- Stealing images
- Monitoring the GPS location
- Stealing SMS messages
- Stealing phone contacts
- Stealing call logs
- Recording audio in real-time
- Stealing a complete list of the installed applications
- Recording video in real-time using front & rear cameras
- Accessing camera to take photos using front & rear cameras
- Sending SMS to attacker-controlled phone number with attacker-controlled text
- Exfiltrating device information (IMEI, Brand, device name, Android version)
- Concealing its presence by hiding the icon from the device’s drawer/menu.
SEE: N Korean hackers used VPN flaws to breach S Korean atomic agency
“Even though thousands of South Korean victims have fallen prey to the spyware campaign, it is unclear whether they have any connections with each other. But with the ability to download contact lists and send SMS messages on behalf of the victim, there is a high chance that the malicious actors are targeting connections of current victims with phishing links.”
This is an ongoing campaign, and zLabs has notified authorities in South Korea and USA.
