The Russia-linked state-sponsored risk actor tracked as Gamaredon has been attributed to 2 new Android spyware and adware instruments referred to as BoneSpy and PlainGnome, marking the primary time the adversary has been found utilizing mobile-only malware households in its assault campaigns.
“BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims,” Lookout mentioned in an evaluation. “Both BoneSpy and PlainGnome collect data such as SMS messages, call logs, phone call audio, photos from device cameras, device location, and contact lists.”
Gamaredon, additionally referred to as Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, is a hacking group affiliated with Russia’s Federal Safety Service (FSB).
Final week, Recorded Future’s Insikt Group revealed the risk actor’s use of Cloudflare Tunnels as a tactic to hide its staging infrastructure internet hosting malicious payloads reminiscent of GammaDrop.
It is believed that BoneSpy has been operational since no less than 2021. Then again, PlainGnome emerged solely earlier this 12 months. Targets of the marketing campaign probably embody Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan primarily based on VirusTotal submissions of the artifacts. There isn’t any proof at this stage that the malware was used to focus on Ukraine, which has been the group’s sole focus.
Again in September 2024, ESET additionally disclosed that Gamaredon unsuccessfully tried to infiltrate targets in a number of NATO nations, specifically Bulgaria, Latvia, Lithuania, and Poland in April 2022 and February 2023.
Lookout has theorized that the concentrating on of Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan “may be related to worsening relations between these countries and Russia since the outbreak of the Ukraine invasion.”
The attribution of the brand new malware to Gamaredon stems from the reliance on dynamic DNS suppliers and overlaps in IP addresses that time to command-and-control (C2) domains utilized in each cellular and desktop campaigns.
BoneSpy and PlainGnome share an important distinction in that the previous, derived from the open-source DroidWatcher spyware and adware, is a standalone software, whereas the latter acts as a dropper for a surveillance payload embedded inside it. PlainGnome can be a custom-made malware however one which requires the sufferer to grant it permission to put in different apps via REQUEST_INSTALL_PACKAGES.
Each surveillance instruments implement a broad vary of features to trace location, collect details about the contaminated gadget, and acquire SMS messages, name logs, contact lists, browser historical past, audio recordings, ambient audio, notifications, photographs, screenshots, and mobile service supplier particulars. In addition they try to realize root entry.
The precise mechanism by which the malware-laced apps are distributed stays unclear, however it’s suspected to contain focused social engineering, masquerading themselves as battery cost monitoring apps, picture gallery apps, a pretend Samsung Knox app, and a completely functional-but-trojanized Telegram app.
“While PlainGnome, which first surfaced this year, has many overlaps in functionality with BoneSpy, it does not appear to have been developed from the same code base,” Lookout mentioned.
