Android Spyware Operations targeting South Korean Users ‘PhoneSpy’

A currently going spyware named “PhoneSpy” targets South Korean users through a maximum range of lifestyle applications that burrow in the system and silently exfiltrate information.

The operation set up a powerful Android Malware which is cable of hijacking sensitive information from the users and taking over the device’s microphone and camera. Security investigators who discovered the operation reported their search to the US and South Korean authorities, but the host that supports the C2 server is yet to be taken down.

Covered in “Inoffensive” Application

The ‘PhoneSpy’ spyware arrives as unrecognizable as a Yoga companion application, the Kakao Talk messaging application, an image gallery browser, and a photo editing tool, and so on. Security a researcher also identifies 23 stoned application that appears as harmless or inoffensive applications, but in the background, the applications execute all the time, silently spying on the users.

To do that, the applications ask the victim to allow various permissions upon installation, which is the only stage where the circumspect users would notice signs of trouble.  

PhoneSpy-Android-Spyware-Operations-targeting-South-Korean-Users-image1

The spyware that is hiding inside the disguise applications can do the following on a negotiated device:

  • Fetch the complete list of the installed applications
  • Uninstall any application on the device
  • Install apps by downloading APKs from links provided by C2
  • Steal credentials using phishing URLs sent by C2
  • Steal images (from both internal and SD card memory)
  • Monitoring the GPS location
  • Steal SMS messages
  • Steal phone contacts
  • Steal call logs
  • Record audio in real-time
  • Record video in real-time using front & rear cameras
  • Access camera to take photos using front & rear cameras
  • Send SMS to attacker-controlled phone number with attacker-controlled text
  • Exfiltrate device information (IMEI, Brand, device name, Android version)
  • Conceal its presence by hiding the icon from the device’s drawer/menu

The spectrum of the hijacked information is expanded enough to support almost any malicious activity, from spying on employees and spouses to conducting corporate cyber espionage and threatening people.

Apart from the spyware functionality, some of the applications also currently try to hijack people’s credentials by displaying fraudulent login pages for various sites. Phishing templates utilized in the PhoneSpy operation mimick Facebook, Instagram, Kakao, and Google account login portals.

PhoneSpy-Android-Spyware-Operations-targeting-South-Korean-Users-image2

Allocating Laced Application

The initial distribution channel for the laced application is unknown, and the attacker did not upload the application to the Google Play Store. It could be allocated through the websites, ambiguous party APK stores, social media forums, or even web hard and torrents.

The probable distribution method may be through the SMS sent by the negotiated device to its contact list since the malware is capable. Using SMS texts increases the chances of the recipients tapping on the link that results in downloading the laced applications as it comes from a person they know and trust.

PhoneSpy-Android-Spyware-Operations-targeting-South-Korean-Users-image3

If you think you might have downloaded a risky app carrying spyware, delete it immediately and then run an AV scanner to clean your device of any remnants. In cases where privacy and security are imperative, perform a factory reset on the device.  

Leave a Reply