An ongoing spyware campaign in South Korea has been discovered by researchers

Researchers have uncovered an ongoing mobile spyware campaign in South Korea being conducted onto residents devices using a family of 23 maliciously coded Android apps with the aim to collect sensitive data and acquire remote control of the targeted devices.   

“With more than a thousand South Korean victims, the malicious group behind this invasive campaign has had access to all the data, communications, and services on their devices”, stated Aazim Yaswant, a researcher from Zimperium, a company recognised for developing mobile threat defence software solutions. Furthermore, “The victims were broadcasting their private information to the malicious actors with zero indication that something was amiss.” 

The spyware campaign has been dubbed as “PhoneSpy” by Zimperium and has not been connected to a recognised threat actor. Richard Melick, the director of product strategy for endpoint security within Zimperium reported that “The evidence surrounding PhoneSpy shows a familiar framework that has been passed around for years, updated by individuals and shared within private communities and back channels until assembled into what we see in this variation today.” 

The malicious apps are disguised as harmless apps which provide a range of general lifestyle practices including learning Yoga, looking at photos and watching videos and TV without the need to use Google Play Store or other unofficial marketplaces, suggesting that web direction method or other forms of social engineering are utilised to trick the unsuspecting user into downloading the malicious apps.   

Upon complete installation, permission requests will appear before the user is redirected to a phishing site that resembles login pages of commonly used websites such as Facebook, Instagram, Google and Kakao Talk. When the user logs into the fake login page, they become faced with a HTTP 404 Not Found message however unbeknownst to them, their data has been transferred to a remote command-and-control (C2) server.   

Further reported by Yaswant, “Many of the applications are facades of a real app with none of the advertised user-based functionality” and that “in a few other cases, like simpler apps that advertise as photo viewers, the app will work as advertised all while the PhoneSpy spyware is working in the background.” 

Other invasive properties of PhoneSpy include enabling the hacker to take pictures, view pictures, record videos and audio, determine the GPS location of the target, obtain SMS messages, contacts and calls and send SMS to the infected phone, which is all then transferred to the C2 server. 

“Mobile spyware is an incredibly powerful and effective weapon against the data we hold in our hands. As our phones and tablets continue to become the digital wallets and IDs, forms if multi factor authentication, and the keys to the data kingdom for our professional and personal lives, the malicious actors wanting that exact data will find new ways to steal it” outlines Melick.  

Moreover, “PhoneSpy and other examples of mobile spyware show that these toolsets and frameworks can be broken down and rebuilt over and over again with an updated code and capabilities, giving the attackers the upper hand. And it’s only increasing in popularity for everyone from nation states targeting dissidents to corporations spying on competition due to the lack of advanced security surrounding most of these critical devices.”