Security experts have discovered a new malware campaign that is stealing personal data from South Korean citizens using Android devices. Unlike previous spyware operations that exploit on-device vulnerabilities, PhoneSpy lurks in plain sight on victims’ handsets, posing as legitimate Android lifestyle applications ranging from TV streaming to yoga teaching.
In reality, the spyware collects data from the victim’s device invisibly, including login passwords, messages, specific geographical position, and photos. PhoneSpy can also delete any program, including mobile security software.
PhoneSpy can also access a victim’s camera to capture images and record video in real-time, according to researchers at mobile security firm Zimperium, who identified the spyware inside 23 applications.
They warned that this may be used for personal and business blackmail and espionage. It accomplishes this without the victim’s knowledge, and Zimperium says that it would be impossible to detect unless someone was observing his or her online traffic.
Excessive on-device permissions requested the legitimate-looking apps, which is a classic red flag. “Once the permissions are given, the attackers may take control of the app and conceal it from the user’s menu, allowing them to track and steal with little to no disruption,” Zimperium’s Richard Melick told TechCrunch.
PhoneSpy is not known to be available on Google Play, and samples not discovered in any Android shop. Rather, according to Zimperium, attackers are employing distribution tactics based on online traffic redirection or social engineering, a type of attack in which victims are persuaded to take specific activities or pass over sensitive information. “PhoneSpy is spread via harmful and false apps that are downloaded and sideloaded onto the victims’ handsets,” Melick explained. “There is evidence pointing to distribution via online traffic redirection or social engineering, such as phishing, when the end-user is tricked into downloading what they believe is a legitimate program from a compromised website or direct link,” says the report.
According to Zimperium, PhoneSpy, which has claimed over 1,000 victims in South Korea, bears numerous characteristics with other known and previously used spyware and stalkerware programs.
“This leads us to suspect that someone put up a fresh spyware setup with the characteristics and capabilities they sought,” Melick continued. Off-the-shelf programming also leaves fewer fingerprints, making it simpler for attackers to hide their identities.
Gimperium claims to have contacted the U.S. and South Korean authorities about the hyper-targeted spyware campaign, as well as repeatedly reporting to the host of the command and control server. However, the PhoneSpy malware campaign is still working as of this writing. Last month, TechCrunch exposed a large-scale stalkerware operation that is compromising the personal information of hundreds of thousands of people.
