A mobile spyware campaign has been discovered that is eavesdropping on South Korean citizens via a family of 23 malicious Android applications to remotely steal sensitive information and control devices.
The campaign was branded “PhoneSpy” by the Dallas-based mobile security firm. The data concerning PhoneSpy reveals a standard structure that has been handed around for years, modified by people, and discussed inside private forums and back channels until it was finally constructed into what is seen today.
The malicious apps have been disguised as seemingly harmless lifestyle tools with functions ranging from yoga and photo browsing to viewing TV and videos. The virus artifacts aren’t reliant on the Google Play Store or other unlicensed app stores, alleging that consumers were duped into installing the applications by social engineering or online traffic redirection.
After installation, the app asks for various permissions before redirecting to a phishing site that looks like the login sites for famous applications like Facebook, Instagram, Google, and Kakao Talk. Users who try to log in are confronted with an HTTP 404 Not Found response, but their credentials have been stolen and sent to a remote command-and-control (C2) server.
PhoneSpy, like other trojans, takes advantage of the device’s established permissions. It allows the threat actor to use the camera for pictures, record video & audio, get precise GPS location, view images from the device, extract SMS messages, contacts, and call logs, and even send SMS messages with attacker-controlled text. The gathered information is subsequently sent to the C2 server.
PhoneSpy and other mobile spyware reveal how these toolsets and frameworks can be dismantled and rebuilt with new code and capabilities repeatedly, giving attackers the advantage.
Due to the absence of adequate protection around most of these crucial gadgets, it’s becoming increasingly popular for everyone, from nation-states targeting dissidents to companies spying on competitors.
