More than 1,000 Android users have been infected with newly discovered malware that surreptitiously records audio and video in real time, downloads files, and performs a variety of other creepy surveillance activities.
In all, researchers uncovered 23 apps that covertly installed spyware that researchers from security firm Zimperium are calling PhoneSpy. The malware offers a full-featured array of capabilities that, besides eavesdropping and document theft, also includes transmitting GPS location data, modifying Wi-Fi connections, and performing overlay attacks for harvesting passwords to Facebook, Instagram, Google, and the Kakao Talk messaging application.
“These malicious Android apps are designed to run silently in the background, constantly spying on their victims without raising any suspicion,” Zimperium researcher Aazim Yaswant wrote. “We believe the malicious actors responsible for PhoneSpy have gathered significant amounts of personal and corporate information on their victims, including private communications and photos.”
So far, all known victims are located in South Korea, but Zimperium hasn’t ruled out the possibility that people in other countries are also being targeted. The researchers have yet to discover if there’s any connection between those infected. Since PhoneSpy has the ability to download contact lists, it’s possible that victims know each other or are otherwise connected through work or other affiliations.
The picture that emerged from the Zimperium analysis is of an advanced and mature spyware package with a full breadth of features. Wednesday’s analysis said:
The mobile application poses a threat to Android devices by functioning as an advanced Remote Access Trojan (RAT) that receives and executes commands to collect and exfiltrate a wide variety of data and perform a wide range of malicious actions, such as:
- Complete list of the installed applications
- Steal credentials using phishing
- Steal images
- Monitoring the GPS location
- Steal SMS messages
- Steal phone contacts
- Steal call logs
- Record audio in real-time
- Record video in real-time using front & rear cameras
- Access camera to take photos using front & rear cameras
- Send SMS to attacker-controlled phone number with attacker-controlled text
- Exfiltrate device information (IMEI, Brand, device name, Android version)
- Conceal its presence by hiding the icon from the device’s drawer/menu
Upon infection, the victim’s mobile device will transmit accurate GPS locational data, share photos and communications, contact lists, and downloaded documents with the command and control server. Similar to other mobile spyware we have seen, the data stolen from these devices could be used for personal and corporate blackmail and espionage. The malicious actors could then produce notes on the victim, download any stolen materials, and gather intelligence for other nefarious practices.
Zimperium has found no evidence that any of the apps were available in Google Play or third-party app marketplaces. The researchers suspect the PhoneSpy apps are being distributed through web traffic redirection or social engineering, but they didn’t elaborate.
The capabilities resemble Pegasus, the malware that Israeli developer NSO Group sells to governments around the world so they can spy on criminals, terrorists, and, all too often, dissidents, attorneys, and other threatened people in countries with repressive regimes. Last week, the Biden administration banned the export, reexport, and in-country transfer of the NSO malware.
Unlike Pegasus—which installs itself using “zero-click” exploits for either iOS or Android—PhoneSpy infects targets by posing as a legitimate app for learning yoga, viewing pictures, watching TV, or similar benign activities.
Zimperium has no details on who is behind PhoneSpy. The campaign was active as of Wednesday morning. As always, Android users should remain wary of apps, particularly when they’re distributed by little-known developers through third-party markets.