An ongoing spyware campaign dubbed ‘PhoneSpy’ targets South Korean users via a range of lifestyle apps that nest in the device and silently exfiltrate data.
The campaign deploys a powerful Android malware capable of stealing sensitive information from the users and taking over the device’s microphone and camera.https://ecdn.firstimpression.io/static/html/obd_banner.html
Researchers at Zimperium who discovered the campaign reported their findings to the US and South Korean authorities, but the host that supports the C2 server is yet to be taken down.
Hidden in “harmless” apps
The ‘PhoneSpy’ spyware comes disguised as a Yoga companion app, the Kakao Talk messaging app, an image gallery browser, a photo editing tool, and more.
Zimperium identified 23 laced apps that appear as harmless lifestyle apps, but in the background, the apps run all the time, silently spying on the user.
To do that, the apps ask the victim to grant numerous permissions upon installation, which is the only stage where cautious users would notice signs of trouble.
The spyware that is hiding inside the masqueraded apps can do the following on a compromised device:
Fetch the complete list of the installed applications
Uninstall any application on the device
Install apps by downloading APKs from links provided by C2
Steal credentials using phishing URLs sent by C2
Steal images (from both internal and SD card memory)
Monitoring the GPS location
Steal SMS messages
Steal phone contacts
Steal call logs
Record audio in real-time
Record video in real-time using front & rear cameras
Access camera to take photos using front & rear cameras
Send SMS to attacker-controlled phone number with attacker-controlled text
Exfiltrate device information (IMEI, Brand, device name, Android version)
Conceal its presence by hiding the icon from the device’s drawer/menu
The spectrum of the stolen data is wide enough to support almost any malicious activity, from spying on spouses and employees to conducting corporate cyber-espionage and blackmailing people.
Apart from the spyware functionality, some apps also actively try to steal people’s credentials by displaying fake login pages for various sites.
Phishing templates used in the PhoneSpy campaign mimick Facebook, Instagram, Kakao, and Google account login portals.
Distributing laced apps
The initial distribution channel for the laced apps is unknown, and the threat actors did not upload the apps to the Google Play Store.
It could be distributed through websites, obscure party APK stores, social media, forums, or even webhards and torrents.
A potential distribution method may be via SMS sent by the compromised device to its contact list since the malware is capable.
Using SMS texts increases the chances of the recipients tapping on the link that leads to downloading the laced apps as it comes from a person they know and trust.
If you think you might have downloaded a risky app carrying spyware, delete it immediately and then run an AV scanner to clean your device of any remnants.
In cases where privacy and security are imperative, perform a factory reset on the device.