The PhoneSpy Android Malware uses 23 rogue apps to acquire remote access to the attacked devices

The PhoneSpy Android Malware

The mobile security company Zimperium recently uncovered an ongoing snooping campaign targeting South Korean residents. The threat actors behind the campaigned have already claimed over a thousand victims,  infiltrating their mobile devices and collecting various types of sensitive and personal data from them. According to the researchers at the security company, the campaign uses 23 Android apps to secretly acquire remote access to the attacked devices and to extract sensitive data from them. The snooping campaigned has been dubbed “PhoneSpy” by the Zimperium research team.

1 2 1024x516

Thus far, the threat actor behind PhoneSpy remains unknown. The researchers report that the framework of the snooping campaign is familiar, and it seems that it has been passed around between different threat actors throughout the years, receiving new updates and improvements in the process and eventually evolving to its current variant. 

The researchers state that the rogue apps used in the campaign are disguised as regular lifestyle applications such as Yoga apps or apps for browsing photos or watching TV/videos. Rather than relying on Google Play Store or third-party app platforms, the rogue apps are being promoted and distributed via social media, through the use of social engineering techniques and web traffic redirection, which allows them to get exposed to large numbers of users and thus get downloaded by potential victims.

After the rogue app is installed, the user is asked to give a wide range of system permissions (which should be seen as a red flag), after which the app opens a phishing page disguised as the login page of a popular app such as Instagram, Facebook, Kakao Talk, or Google. Entering one’s login details on such a disguised phishing page would result in an error message so that the user would think that the app has a bug and not get suspicious. In reality, however, the hackers would have already obtain the entered user data.

Most of the malicious applications are nothing but facades made to resemble real apps while lacking any of those apps’ actual functionality. However, a couple of the simpler rogue apps (such as photo viewers, for example) do actually have some sort of functionality and would work as advertised, while, at the same time, PhoneSpy would be operating in the system’s background.

Similarly to other espionage and data-stealing Trojans, PhoneSpy exploits the permissions that the user is required to give it, which enables it to secretly access the device’s camera or mic and capture photos or record video or audio. PhoneSpy can also access the device’s GPS location, see the pictures stored on the device, extract text messages, call logs, access the user’s contacts list, as well as send SMS messages to the infected device. Any data gathered by this malware is later sent to the hacker’s Command-and-Control server.

Rickard Melick, Zimperium’s director of product strategy for endpoint security, notes that the current instance with PhoneSpy exemplifies how common and easy it is for hackers to break down and rebuilt malware toolsets and frameworks, updating their code and evolving their capabilities, which allows the threat actors to circumvent even advanced security measures, such as multifactor authentication. He adds that the popularity of such practices is only increasing with time and that it’s now not uncommon for them to be used by corporations to spy on competitors or by nation states in order to target dissidents


About the author

Brandon Skies

Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

Leave a Comment