This new Android spyware masquerades as legitimate apps – TechCrunch

Security researchers have discovered a new spyware campaign that targets South Korean residents with Android devices in order to steal confidential data.

Unlike other spyware campaigns which typically take advantage of device vulnerabilities, this campaign, known as PhoneSpy, lurks in plain sight on victims’ devices, masquerading as legitimate Android lifestyle apps from TV streaming to yoga teaching. In reality, however, the spyware stealthily exfoliates data from the victim’s device, including login information, messages, precise granular location, and images. PhoneSpy is also capable of uninstalling all applications including mobile security applications.

Researchers from mobile security firm Zimperium, which discovered PhoneSpy in 23 apps, say the spyware can also access a victim’s camera to take photos and record video in real time, and warned that it could be used for personal and corporate blackmail and espionage. It does this without a victim knowing it, and Zimperium notes that unless someone is monitoring their web traffic, it would be difficult to detect.

Legit-looking apps ask for excessive permissions on the device – a common red flag. “Once permissions are granted, attackers can take control and hide the app from the user menu, staying behind the scenes to continue tracking and flying with little or no disruption,” Richard said. Melick from Zimperium at TechCrunch.

PhoneSpy is not known to be listed on Google Play, and no samples were found in an Android storefront. On the contrary, Zimperium claims that the attackers use distribution methods based on web traffic redirection or social engineering, an attack method by which users are manipulated to perform certain actions or transmit confidential data.

“PhoneSpy is distributed through malicious and bogus applications which are uploaded and uploaded to victim’s devices,” Melick said. “There is some evidence indicating distribution through web traffic redirection or social engineering, such as phishing, tricking the end user into downloading what they think is a legitimate application from a compromised website or website. ‘a direct link. “

PhoneSpy, which has so far claimed more than 1,000 victims in South Korea, according to Zimperium, shares many similarities with other known and used spyware and stalker applications. “This leads us to believe that someone compiled the features and capabilities they wanted into a new spyware setup,” Melick added. Using standard code also produces fewer fingerprints, making it easier for attackers to hide their identities.

Zimperium says it informed US and South Korean authorities about this hyper-targeted spyware campaign and has repeatedly reported the command and control server host. However, at the time of writing, the PhoneSpy spyware campaign is still active.

Last month, TechCrunch revealed a major stalkerware campaign that endangers the private phone data of hundreds of thousands of people.

Comments are closed.