2024-12-27 12:13:35 Pacfic
Gamaredon APT Deploys Android Spyware - 14d
The Russian state-sponsored APT group Gamaredon, also known as Primitive Bear or Shuckworm, has been identified deploying two new Android spyware families named BoneSpy and PlainGnome. This marks the first instance of Gamaredon using mobile-only malware. These tools are designed for extensive surveillance, targeting Russian-speaking individuals in former Soviet states, which include countries such as Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan. BoneSpy has been operational since at least 2021, while PlainGnome first appeared in 2024, and both are currently active. Lookout researchers assess this targeting may be related to the worsening relations between these countries and Russia since the invasion of Ukraine.
BoneSpy and PlainGnome are capable of collecting a wide range of data such as SMS messages, call logs, phone call audio, photos from device cameras, device location, and contact lists. BoneSpy is derived from the Russian open-source DroidWatcher app, whereas PlainGnome is custom-built and utilizes a two-stage deployment process, where the initial stage installs a minimal app requesting permissions to drop the malicious payload. This allows them to exfiltrate data once a device is idle, evading detection. Gamaredon’s use of dynamic DNS providers is consistent with their known tactics for desktop campaigns, helping attribute these tools to them, with infrastructure overlaps indicating command and control domains for both mobile and desktop activities.
ImgSrc: securityonline.info
References:
- @screaminggoat - Lookout has discovered BoneSpy and PlainGnome Android surveillance families and attributed them to the Russian state-sponsored APT - 14d
- Malware Archives - Gamaredon APT Deploys Two Russian Android Spyware Families: BoneSpy and PlainGnome - 14d
- Security Risk Advisors - Russian APT Gamaredon Deploys New Mobile Spyware Targeting Former Soviet States - 14d
- The Hacker News - Gamaredon Deploys Android Spyware "BoneSpy" and "PlainGnome" in Former Soviet States - 14d
- Security Affairs - Experts discovered the first mobile malware families linked to Russia’s Gamaredon - 14d
- sra.io - Russian APT Gamaredon Deploys New Mobile Spyware Targeting Former Soviet States - 13d
- @BleepingComputer - Russian cyberspies Gamaredon has been discovered using two Android spyware families named 'BoneSpy' and 'PlainGnome' to spy on and steal data from mobile devices. - 13d
- SCM feed for Threat Management - New BoneSpy, PlainGnome Android spyware deployed by Gamaredon - 13d
- Over Security - Russian Gamaredon cyberspies target Android users with new spyware - 13d
Classification:
- HashTags: AndroidSpyware GamaredonAPT CyberEspionage
- Company: Lookout
- Target: Former Soviet States
- Attacker: Gamaredon
- Product: Android
- Feature: surveillance
- Type: Malware
- Severity: Major