The security researchers at Lookout recently discovered Russia’s Gamaredon Group using two Android spyware families, BoneSpy and PlainGnome, for spying and data theft purposes. These are the first known mobile malware families linked to the Russian cyberespionage group.
Android users targeted by two new spyware programs
The threat actors reportedly planted BoneSpy using trojan-laced apps faking to be battery charge monitoring apps, photo-gallery apps, a Samsung Knox app, and Telegram apps. Gamaredon reportedly started using fully functional trojan-laced Telegram samples titled “Beta” versions. In the published report, Lookout notes that the development of BoneSpy malware spiked between January and October 2022 with multiple capabilities.
These include collecting SMS details and recording ambient audio and phone calls. Besides, the Android spyware captures GPS and call-based location data, screenshots, and pictures. BoneSpy is also linked with accessing web history, and scraping exact names, numbers, emails, and call details.
On the other hand, PlainGnome is a new Gamaredon Group-made Android surveillance spyware. It doesn’t use the codebase of a previously known project. Per the report, PlainGnome’s code significantly evolved from January to October this year. This hints that the Russian cyberspies are actively working on it.
The new Android spyware uses a two-stage installation process by separating the dropper and payload. In addition to data collection capabilities such as BoneSpy, PlainGnome includes advanced features like Jetpack WorkManager. This allows the spyware to exfiltrate data when the device is idle, reducing the chance of detection even by tech-savvy users.
There’s no evidence that spyware-infected apps are present on the Google Play Store
Notably, there’s no evidence that these malware families are present on Google Play. Therefore, it’s safe to assume that victims often downloaded apps containing spyware from third-party websites. Lookout’s researchers also point out that Gamaredon is evolving its tactics to expand its surveillance capabilities to Android devices.
It’s worth noting that Gamaredon used Android spyware in attacks against Russian-speaking victims in former Soviet states like Uzbekistan and Kazakhstan. However, the report doesn’t confirm if the spyware targeted Ukrainian citizens.
