This new Android spyware masquerades as legitimate apps

Security researchers have uncovered a new spyware campaign that’s targeting South Korean residents with Android devices in order to steal confidential data.

Unlike other spyware campaigns that typically take advantage of on-device vulnerabilities, this campaign, known as PhoneSpy, hides in plain sight on victims’ devices, masquerading as legitimate Android lifestyle apps, from TV streaming to yoga instruction. In reality, however, the spyware is stealthily exfoliating data from the victim’s device, including login credentials, messages, precise granular location and images. PhoneSpy is also capable of uninstalling any apps, including mobile security apps.

Researchers at mobile security firm Zimperium, which discovered PhoneSpy inside 23 apps, say the spyware can also access a victims’ camera to take pictures and record video in real time, and warned that this could be used for personal and corporate blackmail and espionage. It does this without a victim knowing, and Zimperium notes that unless someone is watching their web traffic, it would be difficult to detect.

The legitimate-looking apps request excessive on-device permissions — a common red flag. “Once the permissions are granted, the attackers can take control and hide the app from the user's menu, staying behind the scenes to continue to track and steal with little to no interruption,” Zimperium’s Richard Melick told TechCrunch.

PhoneSpy is not known to be listed in Google Play, nor were samples found in any Android storefront. Rather, Zimperium says that attackers are using distribution methods based on web traffic redirection or social engineering, an attack method whereby users are manipulated into performing certain actions or handing over confidential data.

“PhoneSpy is distributed through malicious and fake apps that are downloaded and sideloaded onto the victim's devices," Melick said. "There is evidence pointing to distribution through web traffic redirection or social engineering, like phishing, tricking the end-user into downloading what they think is a legitimate app from a compromised website or direct link.”

PhoneSpy, which has so far claimed more than 1,000 victims in South Korea, according to Zimperium, shares many similarities with other known and previously used spyware and stalkerware apps. “This leads us to believe that someone compiled the features and capabilities they wanted into a new spyware setup,” Melick added. Using off-the-shelf code also produces fewer fingerprints, making it easier for attackers to obscure their identity.

Zimperium says it has notified U.S. and South Korean authorities of this hyper-targeted spyware campaign and has reported the host of the command and control server multiple times. However, at the time of writing, the PhoneSpy spyware campaign is still active.

Last month, TechCrunch revealed a significant stalkerware campaign that’s putting the private phone data of hundreds of thousands of people at risk.