The Russia-linked state-sponsored risk actor tracked as Gamaredon has been attributed to 2 new Android spy ware instruments referred to as BoneSpy and PlainGnome, marking the primary time the adversary has been found utilizing mobile-only malware households in its assault campaigns.
“BoneSpy and PlainGnome goal former Soviet states and concentrate on Russian-speaking victims,” Lookout stated in an evaluation. “Each BoneSpy and PlainGnome accumulate knowledge corresponding to SMS messages, name logs, telephone name audio, images from machine cameras, machine location, and phone lists.”
Gamaredon, additionally referred to as Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, is a hacking group affiliated with Russia’s Federal Safety Service (FSB).
Final week, Recorded Future’s Insikt Group revealed the risk actor’s use of Cloudflare Tunnels as a tactic to hide its staging infrastructure internet hosting malicious payloads corresponding to GammaDrop.
It is believed that BoneSpy has been operational since no less than 2021. Then again, PlainGnome emerged solely earlier this 12 months. Targets of the marketing campaign probably embrace Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan primarily based on VirusTotal submissions of the artifacts. There isn’t a proof at this stage that the malware was used to focus on Ukraine, which has been the group’s sole focus.
Again in September 2024, ESET additionally disclosed that Gamaredon unsuccessfully tried to infiltrate targets in a number of NATO international locations, particularly Bulgaria, Latvia, Lithuania, and Poland in April 2022 and February 2023.
Lookout has theorized that the concentrating on of Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan “could also be associated to worsening relations between these international locations and Russia because the outbreak of the Ukraine invasion.”
The attribution of the brand new malware to Gamaredon stems from the reliance on dynamic DNS suppliers and overlaps in IP addresses that time to command-and-control (C2) domains utilized in each cell and desktop campaigns.
BoneSpy and PlainGnome share a vital distinction in that the previous, derived from the open-source DroidWatcher spy ware, is a standalone software, whereas the latter acts as a dropper for a surveillance payload embedded inside it. PlainGnome can also be a custom-made malware however one which requires the sufferer to grant it permission to put in different apps via REQUEST_INSTALL_PACKAGES.
Each surveillance instruments implement a broad vary of features to trace location, collect details about the contaminated machine, and accumulate SMS messages, name logs, contact lists, browser historical past, audio recordings, ambient audio, notifications, images, screenshots, and mobile service supplier particulars. In addition they try to realize root entry.
The precise mechanism by which the malware-laced apps are distributed stays unclear, but it surely’s suspected to contain focused social engineering, masquerading themselves as battery cost monitoring apps, photograph gallery apps, a pretend Samsung Knox app, and a completely functional-but-trojanized Telegram app.
“Whereas PlainGnome, which first surfaced this 12 months, has many overlaps in performance with BoneSpy, it doesn’t seem to have been developed from the identical code base,” Lookout stated.
