The Russia-linked state-sponsored risk actor tracked as Gamaredon has been attributed to 2 new Android spy ware instruments known as BoneSpy and PlainGnome, marking the primary time the adversary has been found utilizing mobile-only malware households in its assault campaigns.
“BoneSpy and PlainGnome goal former Soviet states and deal with Russian-speaking victims,” Lookout mentioned in an evaluation. “Each BoneSpy and PlainGnome accumulate knowledge similar to SMS messages, name logs, cellphone name audio, photographs from gadget cameras, gadget location, and make contact with lists.”
Gamaredon, additionally known as Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, is a hacking group affiliated with Russia’s Federal Safety Service (FSB).
Final week, Recorded Future’s Insikt Group revealed the risk actor’s use of Cloudflare Tunnels as a tactic to hide its staging infrastructure internet hosting malicious payloads similar to GammaDrop.
It is believed that BoneSpy has been operational since not less than 2021. Then again, PlainGnome emerged solely earlier this yr. Targets of the marketing campaign presumably embody Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan primarily based on VirusTotal submissions of the artifacts. There is no such thing as a proof at this stage that the malware was used to focus on Ukraine, which has been the group’s sole focus.
Again in September 2024, ESET additionally disclosed that Gamaredon unsuccessfully tried to infiltrate targets in a number of NATO nations, particularly Bulgaria, Latvia, Lithuania, and Poland in April 2022 and February 2023.
Lookout has theorized that the concentrating on of Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan “could also be associated to worsening relations between these nations and Russia because the outbreak of the Ukraine invasion.”
The attribution of the brand new malware to Gamaredon stems from the reliance on dynamic DNS suppliers and overlaps in IP addresses that time to command-and-control (C2) domains utilized in each cellular and desktop campaigns.
BoneSpy and PlainGnome share an important distinction in that the previous, derived from the open-source DroidWatcher spy ware, is a standalone utility, whereas the latter acts as a dropper for a surveillance payload embedded inside it. PlainGnome can also be a custom-made malware however one which requires the sufferer to grant it permission to put in different apps by means of REQUEST_INSTALL_PACKAGES.
Each surveillance instruments implement a broad vary of features to trace location, collect details about the contaminated gadget, and accumulate SMS messages, name logs, contact lists, browser historical past, audio recordings, ambient audio, notifications, photographs, screenshots, and mobile service supplier particulars. In addition they try to achieve root entry.
The precise mechanism by which the malware-laced apps are distributed stays unclear, but it surely’s suspected to contain focused social engineering, masquerading themselves as battery cost monitoring apps, photograph gallery apps, a pretend Samsung Knox app, and a totally functional-but-trojanized Telegram app.
“Whereas PlainGnome, which first surfaced this yr, has many overlaps in performance with BoneSpy, it doesn’t seem to have been developed from the identical code base,” Lookout mentioned.
