Researchers discovered new Android spyware that provides similar capabilities to NSO Group’s Pegasus controversial software. Called PhoneSpy, the mobile surveillance-ware has been spotted activity targeting South Koreans without their knowledge.
PhoneSpy disguises itself as a legitimate application and gives attackers complete access to data stored on a mobile device and grants full control over the targeted device, according to a Zimperium zLabs report published Wednesday.
Pegasus spyware, developed by Israeli-based NSO Group, which has been blacklisted by the U.S. government, has been linked to cyberattacks against dissidents, activists and NGO workers. However, it’s unclear from the Zimperium report who is behind PhoneSpy and whether it is being sold commercially. Also unclear from the report is whether high-profile victims or random individuals are being targeted by PhoneSpy.
According to Zimperium, attackers are weaponizing PhoneSpy for similar purposes as the NSO Group did. However, researchers conceded they are unsure why thousands in South Korea are targeted or what connection they have to each other.
Hiding in Plain Sight
The spyware is potentially more dangerous than Pegasus, researchers assert. They argue that PhoneSpy “hides in plain sight, disguising itself as a regular application with purposes ranging from learning yoga to watching TV and videos, or browsing photos,” Zimperium researcher Aazim Yaswant wrote in the post.
PhoneSpy features include stealing data, eavesdropping on messages and viewing images stored on the phone. Researchers said attackers can also gain full remote control of Android phones. So far, Yaswant wrote, Zimperium has identified 23 applications surreptitiously containing the spyware.
“These malicious Android apps are designed to run silently in the background, constantly spying on their victims without raising any suspicion,” Yaswant wrote. “We believe the malicious actors responsible for PhoneSpy have gathered significant amounts of personal and corporate information on their victims, including private communications and photos.”
Another reason for concern over PhoneSpy’s appearance is it is written with off-the-shelf code, showing that spyware on par with Pegasus is not just limited to organized and sophisticated companies such as NSO. It also means it’s easier for the cybercriminals behind the spyware to cover their tracks, as the spyware doesn’t carry specific fingerprints of a certain organization, Yaswant wrote.
So far researchers have found PhoneSpy—which disguises itself as various lifestyle apps–targeting only Android users in South Korea, they said. Since it hasn’t been sighted on Google’s official app store or other third-party Android app stores, Yaswant surmised PhoneSpy is being distributed via social engineering tactics as opposed to delivery via a zero-day vulnerability.
Once installed, the spyware treads a typical path for malware of its type. It first requests permissions and opens a phishing page that imitates the login page of the popular South Korean messaging app “Kakao Talk” to steal credentials, Yaswant explained. This info can then be used to login into other services in South Korea with a single-sign-on feature, he said.
Meanwhile, in the background, the spyware acts like a Remote Access Trojan (RAT), abusing permissions to exfiltrate data to a command-and-control server and leaving the device open to access for the threat actors, researchers found.
In addition to stealing data, other capabilities of PhoneSpy include recording or live-streaming video or audio; viewing SMS messages (such as two-factor authentication messages); sending SMS messages as the device’s owner; editing contact info in the device’s address book; enabling call forwarding; and viewing the GPS location of the device.
PhoneSpy also can install or uninstall any of the apps on the device, including security apps, thus giving itself an additional way to avoid detection, Yaswant wrote.
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.
Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at firstname.lastname@example.org.