info@thehackernews.com (The@The Hacker News
//
North Korea-linked APT group ScarCruft has been identified deploying a new Android spyware dubbed KoSpy, targeting Korean and English-speaking users. The spyware was distributed through fake utility apps on the Google Play Store and third-party app stores like APKPure. At least five malicious applications, masquerading as File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security, were used to trick users into installing the spyware onto their devices.
The malicious apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the background. The spyware is designed to collect a wide range of data from compromised devices, including SMS messages, call logs, device location, files in local storage, screenshots, keystrokes, Wi-Fi network information, and the list of installed applications. It's also equipped to record audio and take photos. The apps have since been removed from the app marketplace.
Recommended read:
References :
- infosec.exchange: NEW: North Korean government hackers snuck spyware onto the official Android app store, and tricked a few people to download it, according to Lookout.
- techcrunch.com: North Korean government hackers snuck spyware on Android app store
- The DefendOps Diaries: KoSpy: Unmasking the North Korean Spyware Threat
- PCMag UK security: Suspected North Korean Hackers Infiltrate Google Play With 'KoSpy' Spyware
- BleepingComputer: New North Korean Android spyware slips onto Google Play
- bsky.app: A new Android spyware named 'KoSpy'Â is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps. https://www.bleepingcomputer.com/news/security/new-north-korean-android-spyware-slips-onto-google-play/
- The Record: A North Korean nation-state group tracked as APT37 or ScarCruft placed infected utilities in Android app stores as part of an espionage campaign, according to researchers
- www.scworld.com: Android spyware ‘KoSpy’ spread by suspected North Korean APT
- securityaffairs.com: North Korea-linked APT group ScarCruft spotted using new Android spyware KoSpy
- bsky.app: A new Android spyware named 'KoSpy'Â is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps.
- The Hacker News: The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users.
- securityonline.info: North Korea’s APT ScarCruft Places Spyware on Google Play
- securityaffairs.com: North Korea-linked APT group ScarCruft used a new Android spyware dubbed KoSpy to target Korean and English-speaking users.
- Secure Bulletin: New Android spyware “KoSpy� linked to North Korean APT37
- securityonline.info: North Korean ScarCruft APT Targets Users with Novel KoSpy Android Spyware
- Carly Page: North Korean-linked hackers uploaded Android spyware to Google Play. The spyware, which collects an “extensive amount� of sensitive data, was downloaded more than 10 times before Google removed it, according to Lookout
Paolo Tarsitano@Cyber Security 360
//
Citizen Lab researchers have identified several countries as potential customers of Paragon Solutions' Graphite spyware, which was used in attacks against human rights defenders. The investigation mapped the infrastructure of the Israel-based spyware maker, identifying servers likely used by customers in Australia, Canada, Cyprus, Denmark, Israel, and Singapore. The findings follow WhatsApp's notification to numerous individuals that Paragon exploited the platform to deliver spyware to their phones.
The Citizen Lab report includes an infrastructure analysis of Graphite, a forensic analysis of infected devices belonging to members of civil society, and a closer look at the spyware's use in Canada and Italy. Meta (WhatsApp) confirmed these details were pivotal to their ongoing investigation into Paragon which allowed them to fix a zero-click exploit.
Paragon’s executive chairman, John Fleming, responded that Citizen Lab shared only a "very limited amount of information" beforehand, "some of which appears to be inaccurate," while declining to specify what was inaccurate. Despite Paragon's claims of selling only to democracies, the report raises concerns about potential abuse, suggesting their safeguards may not be sufficient.
Recommended read:
References :
- infosec.exchange: Researchers mapped out the infrastructure of spyware maker Paragon Solutions, and say they were able to identify servers likely used by customers in several countries: Australia, Canada, Cyprus, Denmark, Israel, and Singapore. Paragon’s executive chairman John Fleming said Citizen Lab shared in advance "very limited amount of information, some of which appears to be inaccurate." He declined to say what was inaccurate exactly.
- The Citizen Lab: In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon's mercenary spyware operations across the globe. This report includes an infrastructure analysis of Paragon’s spyware product, called Graphite; a forensic analysis of infected devices belonging to members of civil society; and a closer look at the use of Paragon spyware in both Canada and Italy. —
- techcrunch.com: Researchers name several countries as potential Paragon spyware customers
- CyberInsider: Paragon’s Spyware ‘Graphite’ Used in WhatsApp Attacks
- securityaffairs.com: WhatsApp fixed zero-day flaw used to deploy Paragon Graphite spyware
- Zack Whittaker: Researchers at Citizen Lab have named several countries as potential customers of Paragon's Graphite spyware, which Citizen Lab says was used in a widespread campaign targeting human rights defenders in Italy.
- Metacurity: Australia, Canada, Cyprus, Denmark, Israel, and Singapore likely bought Paragon spyware, Citizen Lab
- The Hacker News: Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data
- BleepingComputer: WhatsApp patched zero-day flaw used in Paragon spyware attacks
- Cyber Security 360: Italia spiata: svelata la rete dello spyware Paragon Graphite
- hackread.com: Israeli Spyware Graphite Targeted WhatsApp with 0-Click Exploit
- The Register - Security: Paragon spyware deployed against journalists and activists, Citizen Lab claims
- Christoffer S.: A First Look at Paragon's Proliferating Spyware Operations" investigates Paragon Solutions, an Israeli spyware vendor founded in 2019 that sells a product called Graphite.
- IT-Connect: Une faille zero-click sur WhatsApp a été exploitée par un spyware de Paragon, à l'aide d'un simple document PDF.
- Zack Whittaker: This week's edition of ~ this week in security ~ includes a look at Citizen Lab's report revealing Paragon spyware customers and victims, CISA scrambling to contact fired staff after court reverses layoffs, and Wiz joining Google Cloud. Plus, a brand new cyber cat, and more. Sign up/RSS: Read online: Donate/support:
Pierluigi Paganini@securityaffairs.com
//
Russian state-aligned hackers are exploiting the "Linked Devices" feature in Signal Messenger to conduct cyber-espionage campaigns. Google's Threat Intelligence Group (GTIG) has uncovered these campaigns, revealing that the hackers are using phishing tactics to gain unauthorized access to Signal accounts. These campaigns involve tricking users into linking their devices to systems controlled by the attackers.
Russian threat actors are launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest. The hackers employ sophisticated methods to trick targets into linking their Signal account to a device controlled by the attacker, compromising their secure communications.
Recommended read:
References :
- cyberinsider.com: Russian Hackers Exploit Signal’s Linked Devices to Spy on Users
- BleepingComputer: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
- www.bleepingcomputer.com: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
- CyberInsider: Google's Threat Intelligence Group (GTIG) has uncovered a series of cyber-espionage campaigns by Russian state-aligned hackers targeting Signal Messenger accounts.
- securebulletin.com: Russia-Aligned actors intensify targeting of Signal Messenger
- securityaffairs.com: Russia-linked threat actors exploit Signal messenger
- Talkback Resources: Russian Groups Target Signal Messenger in Spy Campaign [app] [social]
- cloud.google.com: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine.
- bsky.app: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine. https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
- cyble.com: Russia-Linked Actors Exploiting Signal Messenger’s “Linked Devices� Feature for Espionage in Ukraine
- Talkback Resources: State-aligned threat actors, particularly from Russia, are targeting Signal Messenger accounts through phishing campaigns to access sensitive government and military communications, exploiting the app's "linked devices" feature for eavesdropping on secure conversations.
- cyberscoop.com: Russian-aligned threat groups dupe Ukrainian targets via Signal
- Talkback Resources: Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger [social]
- Threats | CyberScoop: Russia-aligned threat groups dupe Ukrainian targets via Signal
- www.onfocus.com: Google Threats on Signals of Trouble
- cyberriskleaders.com: Russian Hackers Targeting Ukrainian Signal Users with Malicious QR Codes
- arstechnica.com: Russia-aligned hackers are targeting Signal users with device-linking QR codes Swapping QR codes in group invites and artillery targeting are latest ploys.
- MeatMutts: Google Warns of Russian Hacking Campaign Targeting Ukraine’s Military on Signal
- Talkback Resources: Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes
- thecyberexpress.com: Russian state-sponsored hackers are ramping up efforts to compromise Signal messenger accounts, particularly those used by Ukrainian military personnel, government officials, and other key figures.
@techcrunch.com
//
Italian spyware maker SIO is distributing malicious Android applications that masquerade as popular apps like WhatsApp. According to an exclusive report by TechCrunch, the spyware, dubbed "Spyrtacus," is designed to steal private data from a target's device. Researchers have linked this spyware campaign to SIO, a company that claims to partner with law enforcement agencies, government organizations, police, and intelligence agencies, including the Italian government.
The spyware campaign involves distributing malicious Android apps disguised as popular applications and cellphone provider tools. Security researchers at Lookout identified the spyware as "Spyrtacus" after finding the term in the code of an older malware sample. Spyrtacus possesses capabilities typical of government spyware, including the ability to steal text messages, chats from various messaging platforms, exfiltrate contacts, and record phone calls and ambient audio. At this time, the identities of the spyware targets and victims remain unknown.
Recommended read:
References :
- infosec.exchange: NEW: We caught another government spyware vendor, which made fake Android apps masquerading as WhatsApp and cellphone providers' apps. The spyware, called Spyrtacus, was made by SIO. The company says on its official website that it partners "Law Enforcement Agencies, Government Organizations, Police and Intelligence Agencies," and sells to Italian government. At this point, we don't have information on who were the spyware targets and victims.
- Zack Whittaker: Incredible reporting by , who caught an Android spyware campaign in the wild. The spyware, dubbed "Spyrtacus," masquerades as popular apps like WhatsApp, but steals victims' phone data. Researchers linked the spyware to Italian firm SIO.
- Pietro395 :proton: ??: Italian spyware maker SIO, known to sell its products to government customers, is behind a series of malicious Android apps that masquerade as WhatsApp and other popular apps but steal private data from a target’s device, TechCrunch has exclusively learned.
- techcrunch.com: Spyware maker caught distributing malicious Android apps for years
- infosec.exchange: NEW: We caught another government spyware vendor, which made fake Android apps masquerading as WhatsApp and cellphone providers' apps.
- techcrunch.com: Spyware maker caught distributing malicious Android apps for years
- Techmeme: Sources: Italian spyware maker SIO created malicious Android apps that masquerade as WhatsApp and other apps; a researcher says they were likely used in Italy (Lorenzo Franceschi-Bicchierai/TechCrunch)
- www.dday.it: Very nice find (in 🇮🇹) by tech site Digital Day. Spyware maker SIO attempted to sell Spyrtacus through an intermediary to an Italian prosecutor's office in Sicily, but was rejected because law says the owner of the product is the one that must apply to the tender.
@techcrunch.com
//
A data breach has impacted users of the spyware applications Cocospy and Spyic, potentially exposing sensitive personal data including messages, photos, and call logs. These consumer-grade spyware apps, sometimes called stalkerware or spouseware, covertly monitor private information on Android devices. The Cocospy breach alone exposed almost 1.8 million customer email addresses, which have been added to the Have I Been Pwned database.
TechCrunch reported on the breach and released a guide with steps for checking Android devices for stalkerware, as well as how to safely remove it. Stalkerware apps are often downloaded from outside official app stores, planted without permission, and hidden on the device to avoid detection. Signs of infection include unusual device behavior like overheating, slow performance, or excessive data usage.
Recommended read:
References :
- cyberinsider.com: A data breach in the spyware applications Cocospy and Spyic has exposed the personal data of millions of people, including sensitive information such as messages, photos, and call logs.
- haveibeenpwned.com: In February 2025, the spyware service . The Cocospy breach alone exposed almost 1.8M customer email addresses which were provided to HIBP, and reportedly also enabled unauthorised access to captured messages, photos, call logs, and more.
- Dataconomy: This stalkerware breaches your Android: Fix it now
- Zack Whittaker: We also have guidance on what you can do if you think you've been compromised by Cocospy and Spyic, which can affect both Android and iPhone/iPad users.
- Digital Information World: Secret Phone Surveillance Apps Are Stealing Data—Are You a Target?
@shaarli.maynier.eu
//
Former Polish Justice Minister Zbigniew Ziobro has been arrested by Polish police in connection with the illegal use of NSO Group's Pegasus spyware. The arrest follows a probe into the previous government's use of the spyware, with allegations that Ziobro signed off on government funds to pay for the technology. He is also accused of supervising cases where the spyware was deployed, suggesting a potential abuse of power.
This action is part of a broader investigation initiated by the new prime minister to address the alleged targeting of nearly 600 individuals in Poland by spyware attacks between 2017 and 2022. The probe has been ongoing for years, with a Senate commission previously finding "gross violations of constitutional standards" related to the deployment of Pegasus to hack an opposition politician's device in 2019, even alleging the 2019 elections were tainted by the use of Pegasus.
Recommended read:
References :
- CCC: Poland’s spyware probe has been going on for years: Police now arrested the former justice minister. He had refused to attend hearings on the deployment
- Links: Former Polish justice minister arrested in sprawling spyware probe | The Record
- www.techdirt.com: Poland’s Justice Minister Arrested For Illegal Use Of NSO Group Malware | Techdirt 「 Polish police on Friday arrested the country’s former justice minister, alleging that he signed off on the use of government money to pay for spyware used to snoop on opposition leaders and supervised cases where the technology was deployed 」
|
|
FlagThis - #spyware