A new spying campaign involving PhoneSpy malware has infected thousands of victim devices to date.
On Wednesday, Zimperium zLabs published a new report on PhoneSpy, spyware developed to infiltrate handsets operating on Google’s Android OS.
To date, 23 malicious apps harboring the spyware have been found, but none of the samples were discovered in the official Google Play Store — suggesting that PhoneSpy is being distributed via third-party platforms.
Also: How to find and remove spyware from your phone
The latest PhoneSpy campaign appears to be focused on South Korea, with the malware bundled into seemingly-benign mobile apps including messaging, yoga instruction, photo collection and browsing utilities, and TV/video streaming software.
zLabs suspects that the initial infection vector is a common one: the use of phishing links posted to websites or social media channels.
Once a victim installs and executes the app’s APK file, PhoneSpy is deployed. PhoneSpy targets Korean-speakers and will throw up a phishing page, pretending to be from a popular service — such as the Kakao Talk messaging app — in order to request permissions and to steal credentials.
When you think of spyware right now, it may be that Pegasus comes to mind — a silent, pernicious form of malware that has been used to spy on high-profile lawyers, activists, government figures, and journalists.
While PhoneSpy appears to be more run-of-the-mill, the malware’s capabilities, too, cannot be dismissed out of hand. The malware is described as an “advanced” Remote Access Trojan (RAT) capable of quietly conducting surveillance on a victim and sending data to a command-and-control (C2) server.
PhoneSpy’s functionality includes monitoring a victim’s location via GPS; recording audio, images, and video in real-time by hijacking mobile microphones and both front and rear cameras; intercepting and stealing SMS messages, call forwarding, call log and contact list theft, sending messages on behalf of the malware’s operator, and exfiltrating device information.
In addition, PhoneSpy has been developed with obfuscation and concealment features and will hide its icon to stay undetected — a common tactic employed by spyware and stalkerware. The malware may also attempt to uninstall user apps, including mobile security software.
zLabs believes that the campaign has been used to gather “significant amounts of personal and corporate information [from] victims, including private communications and photos.”
The campaign is still ongoing. US and Korean authorities have been informed.
“The victims were broadcasting their private information to the malicious actors with zero indication that something was amiss,” the researchers say. “Even though thousands of South Korean victims have fallen prey to the spyware campaign, it is unclear whether they have any connections with each other. But with the ability to download contact lists and send SMS messages on behalf of the victim, there is a high chance that the malicious actors are targeting connections of current victims with phishing links.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0