Newly discovered malware has infected over 1,000 Android users.
A variety of creepy surveillance activities were discovered to be performed by the malware out such as secretly recording audio and video and downloading files.
Security researchers from the firm Zimperium found 23 apps had secretly installed spyware called PhoneSpy.
Including eavesdropping and document theft, PhoneSpy has a wide array of spying features, including the ability to transmit GPS location information, modify Wi-Fi connections, harvest passwords for Facebook, Instagram, Google, and the Kakao Talk messaging app.
“These malicious Android apps are designed to run silently in the background, constantly spying on their victims without raising any suspicion,” Zimperium researcher Aazim Yaswant wrote. “We believe the malicious actors responsible for PhoneSpy have gathered significant amounts of personal and corporate information on their victims, including private communications and photos.”
South Korea has been identified as the only nation affected by PhoneSpy.
Though, while Zimperium hasn’t found out the possibility of the malware affecting people in other countries, they haven’t ruled it out entirely either.
As of now, no connection has been established between those infected.
However, the fact that PhoneSpy has the ability to download contact lists means that it is possible for victims to be related through work or other connections.
Zimperium analysis showed that PhoneSpy is an advanced and mature spyware package with a full breadth of features. The analysis stated that:
“The mobile application poses a threat to Android devices by functioning as an advanced Remote Access Trojan (RAT) that receives and executes commands to collect and exfiltrate a wide variety of data and perform a wide range of malicious actions, such as:
List of PhoneSpy functions:
- Steal credentials using phishing
- Steal images
- Monitoring the GPS location
- Steal SMS messages
- Steal phone contacts
- Steal call logs
- Record audio in real-time
- Record video in real-time using front & rear cameras
- Access camera to take photos using front & rear cameras
- Send SMS to attacker-controlled phone number with attacker-controlled text
- Exfiltrate device information (IMEI, Brand, device name, Android version)
- Conceal its presence by hiding the icon from the device’s drawer/menu
“Upon infection, the victim’s mobile device will transmit accurate GPS locational data, share photos and communications, contact lists, and downloaded documents with the command and control server,” the analysis added.
In a similar way to other mobile spyware discovered, nefarious actors can use these stolen data for espionage and blackmail on an individual, as well as an organization.
This information could be used to gather intelligence for other nefarious activities.
‘Malicious actors could also obtain stolen materials and make notes about the victim.’
Neither Google Play nor third-party app stores list any of these apps in Zipporium’s analysis.
PhoneSpy apps may be distributed through redirected web traffic or social engineering, according to the researchers, however, they did not elaborate.
Pegasus, a malware created by Israeli developer NSO Group to spy on criminals and terrorists, is similar in capabilities.
People in countries with repressive regimes buy malware to harm dissidents, lawyers, and other threatened individuals.
NSO malware was banned last week by the Biden administration.
Instead of infecting targets directly, PhoneSpy spoofs as a genuine app for watching TV or viewing photos, learning yoga, or other benign tasks.
PhoneSpy’s creator is currently unknown to Zimperium.
Users should be careful about downloading apps from unknown developers, particularly when they’re offered through third-party markets.