Reading Time: < 1 minutes
More than 1000 Android mobile phones have been found infected with a newly uncovered malware that secretly records users’ real-time video and audio feeds, downloaded files, and carries out several other scary actions for surveillance.

Security researchers from Zimperium revealed twenty-three (23) apps that surreptitiously downloaded spyware, now being called PhoneSpy by them. This spyware is packed with features capable of document theft, forwarding Global Positioning System (GPS) tracking information, eavesdropping, reshaping Wi-Fi wireless connections, and executing superimposing attacks to accumulate Facebook, Google, Instagram, and Kakao Talk’s passwords.

Aazim Yaswant, a Zimperium researcher, stated:

“These malicious Android apps are designed to run silently in the background, constantly spying on their victims without raising any suspicion,”

“We believe the malicious actors responsible for PhoneSpy have gathered significant amounts of personal and corporate information on their victims, including private communications and photos.”

According to Zimperium, the identified victims of this spyware are stationed in the Republic of South Korea, but no possibilities have been ruled out yet. The researchers are still on the lookout for possibilities if there is any relationship among the victims.

There is a high probability that the sufferers are familiar with one other either from work or have connected at some point as PhoneSpy can download contact lists.

PhoneSpy’s Features

Zimperium’s analysis revealed that this PhoneSpy comes with quite some advanced features. As per their Wednesday report:

The mobile application poses a threat to Android devices by functioning as an advanced Remote Access Trojan (RAT) that receives and executes commands to collect and exfiltrate a wide variety of data and perform a wide range of malicious actions, such as:

  • Complete list of the installed applications
  • Steal credentials using phishing
  • Steal images
  • Monitoring the GPS location
  • Steal SMS messages
  • Steal phone contacts
  • Steal call logs
  • Record audio in real-time
  • Record video in real-time using front & rear cameras
  • Access camera to take photos using front & rear cameras
  • Send SMS to attacker-controlled phone number with attacker-controlled text
  • Exfiltrate device information (IMEI, Brand, device name, Android version)
  • Conceal its presence by hiding the icon from the device’s drawer/menu

Upon infection, the victim’s mobile device will transmit accurate GPS locational data, share photos and communications, contact lists, and downloaded documents with the command and control server. Similar to other mobile spyware we have seen, the data stolen from these devices could be used for personal and corporate blackmail and espionage. The malicious actors could then produce notes on the victim, download any stolen materials, and gather intelligence for other nefarious practices.  

Zimperium declared that none of the applications were on Google Play Store or other app stores. While they did speculate that the apps were being circulated through social engineering or web traffic redirection, they didn’t actually elaborate.

This spyware resembles a malware named Pegasus, which was developed by the Israeli developer NSO Group. Pegasus is sold to governments across the globe for spying on terrorists, attorneys, criminals, dissidents, and a variety of threatened people living under oppressive regimes.

In the previous week, the administration of Biden prohibited the NSO malware’s export, re-export, and domestic transfer.

But, while PhoneSpy poses as a legit application for looking at images, learning Yoga, watching TV, and similar harmless activities, Pegasus installs itself on iOS and Android using zero-click exploits.

Zimperium does not know the developers of this malware as the campaign kicked off on Wednesday morning. However, it’s significant for all Android users to stay vigilant when downloading apps on their devices, especially when the developers are quite unknown, and protect themselves from all kinds of cyber threats.