Researchers from Zimperium zLabs uncovered an ongoing campaign aimed at infecting the mobile phones of South Korean users with new sophisticated android spyware dubbed PhoneSpy.
The malware already hit more than a thousand South Korean victims.
Unlike other surveillance software that attempts to exploit vulnerabilities on the device, PhoneSpy disguised itself as a harmless application with purposes ranging from learning Yoga to watching TV and videos, or browsing photos.
PhoneSpy supports a broad range of capabilities inside, such as access the camera to take pictures, record video, and audio, get GPS location, view pictures from the device, access files and messages on the devices.
The malware also allows an attacker to remotely control the infected mobile devices.
The threat actors are distributing the malware through web traffic redirection or social engineering, experts did not find any evidence of the spyware in any app in the Play Store.
“The Zimperium zLabs mobile threat research team identified 23 applications targeting South Korean citizens to date, infecting thousands of victims to this spyware campaign. These malicious Android apps are designed to run silently in the background, constantly spying on their victims without raising any suspicion.” reads the analysis published by ZimperiumLabs “We believe the malicious actors responsible for PhoneSpy have gathered significant amounts of personal and corporate information on their victims, including private communications and photos.”
The malware can tamper with calls, access contact information and send SMS messages on behalf of the victim.
Once installed it requests permissions and displays a phishing page that clones the login page of the popular South Korean messaging app “Kakao Talk” to steal credentials.
“Even though thousands of South Korean victims have fallen prey to the spyware campaign, it is unclear whether they have any connections with each other. But with the ability to download contact lists and send SMS messages on behalf of the victim, there is a high chance that the malicious actors are targeting connections of current victims with phishing links.” Zimperium concludes.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, spyware)
[adrotate banner=”5″]
[adrotate banner=”13″]