PhoneSpy: The App-Based Cyberattack Snooping South Korean Citizens

Share this blog

Update November 22, 2021: It has been determined that this specific campaign is no longer active. The command and control server has been taken down, and the infected devices are no longer under the control of the attackers.

Many of the malware campaigns we have detected over the last year have been global at scale, targeting anyone with little regard to their location. Recently, we discovered and began monitoring the activity behind PhoneSpy, a spyware aimed at South Korean residents with Android devices. With more than a thousand South Korean victims, the malicious group behind this invasive campaign has had access to all the data, communications, and services on their devices.

Unlike other spyware campaigns we have covered that take advantage of vulnerabilities on the device, PhoneSpy hides in plain sight, disguising itself as a regular application with purposes ranging from learning Yoga to watching TV and videos, or browsing photos. But in reality, the application is stealing data, messages, images, and remote control of Android phones. The data stolen from victim devices ranged from personal photos to corporate communications. The victims were broadcasting their private information to the malicious actors with zero indication that something was amiss.

While the victims have been limited to South Korea, PhoneSpy is an example of how malicious applications can disguise their true intent. When installed on victims’ devices, they leave personal and corporate data at risk. With mobile devices playing critical roles in distributed and remote work, it is no surprise that spyware campaigns like PhoneSpy are on the rise.

Samples of PhoneSpy were not found in any Android app store, indicating that attackers are using distribution methods based on web traffic redirection or social engineering.

Once in control, the attackers can access the camera to take pictures, record video, and audio, get precise GPS location, view pictures from the device, and more.

Zimperium zLabs identified the PhoneSpy spyware app during routine threat research, and the zLabs team launched an investigation after identifying multiple related malicious applications.

Disclosure: Due to the nature of this spyware campaign, Zimperium has notified and submitted all relevant threat data to US and South Korean authorities. The Zimperium team also reported to the host of the command and control server multiple times, offering support in a takedown of the malicious services. At the time of this writing, the PhoneSpy spyware campaign is still active.

In this blog, we will:

  • Cover the capabilities of the Android spyware;
  • Discuss the techniques used to collect and store data; and
  • Show the communication with the C&C server to exfiltrate stolen data.

What Can PhoneSpy Spyware Do?

The mobile application poses a threat to Android devices by functioning as an advanced Remote Access Trojan (RAT) that receives and executes commands to collect and exfiltrate a wide variety of data and perform a wide range of malicious actions, such as:

  • Complete list of the installed applications
  • Steal credentials using phishing
  • Steal images
  • Monitoring the GPS location
  • Steal SMS messages
  • Steal phone contacts
  • Steal call logs
  • Record audio in real-time
  • Record video in real-time using front & rear cameras
  • Access camera to take photos using front & rear cameras
  • Send SMS to attacker-controlled phone number with attacker-controlled text
  • Exfiltrate device information (IMEI, Brand, device name, Android version)
  • Conceal its presence by hiding the icon from the device’s drawer/menu

Upon infection, the victim’s mobile device will transmit accurate GPS locational data, share photos and communications, contact lists, and downloaded documents with the command and control server. Similar to other mobile spyware we have seen, the data stolen from these devices could be used for personal and corporate blackmail and espionage. The malicious actors could then produce notes on the victim, download any stolen materials, and gather intelligence for other nefarious practices.

How Does PhoneSpy Spyware Work?

The PhoneSpy spyware disguises itself as various lifestyle apps targeting Korean-speaking users. It is most likely distributed through web traffic redirection or social engineering as it has not been detected in Android stores, including third-party or regional stores. After installation, the application requests permissions and opens a phishing page that imitates the login page of the popular South Korean messaging app “Kakao Talk” to steal credentials.

The application follows the typical behavior of spyware by asking for permissions to exercise its capabilities.

Figures.1,2: The list of permissions requested by one of the applications

After installation and launch, the app displays a login page and attempts to steal the credentials for “Kakao” which can be used to login into other services in South Korea with the Single-Sign-On feature.

Figures.3-5: The phishing pages hosted by the threat actors

In most of the discovered applications, the application’s user/victim interaction is limited to the above sign-on, only to receive an error message. Many of the applications are facades of a real app with none of the advertised user-based functionality. In a few other cases, like simpler apps that advertise as photo viewers, the app will work as advertised all while the PhoneSpy spyware is working in the background.


Figure.6
: Dynamic loading of content from the remote server

Figures.7-10: The fake gallery website displayed by the app & the files hosted on it

While these actions are taking place in the foreground, the spyware abuses its permissions and acts as a Remote Access Trojan, leaving the device open to access for the threat actors. The spyware makes sure to avoid data redundancy by only uploading the latest data created after the last upload, as seen in Figure.11.


Figure.11
: SMS data collection and exfiltration to the C&C server

The command and control server stores all the exfiltrated data and maintains a communication channel with the infected devices to send commands.

The table of commands and the corresponding actions are shown in Table.1.

Command Action
0 Upload phone information such as Phone.No, IMEI, Android version, and Model Name
1 Upload the entire contacts list
2 Delete a contact matching by phone number
3 Upload all the SMS stored in the device
4 Upload the latest call logs since the last upload
5 Upload all the photos from the sdcard
6 Upload all the videos from the sdcard
7 Get real-time GPS location
8 Send an SMS to a phone number with content, both as directed by the C&C server
9 Take photos using the Front Camera & upload them to the C&C server
10 Take photos using the Rear Camera & upload them to the C&C server
11 Real-time video streaming using the Front camera
12 Real-time video streaming using the Rear camera
13 Set the duration for real-time audio recording
14 Upload the recorded audio files
16 Add call forwarding
17 Remove call forwarding
18 Update call forwarding
21 Remove blocklisting of a phone number as directed by the C&C server
22 Add blocklisting of a phone number as directed by the C&C server
24 Collect the list of installed applications, including the icon, app version, package name, and update date.
25 Uninstall an application matching by package name
28 Download an apk from the link sent by the C&C server and install the application as an update
30 Insert contact with name and phone number as directed by the C&C server
31 Delete all the SMS stored in the infected device
32 Delete all call logs stored in the infected device
33 Open a URL sent by the C&C server used for harvesting credentials through phishing.

Table.1: Supported commands and associated actions

The command and control server has a web-based interface and is protected by an authentication mechanism using credentials, as seen in Figure.12.


Figure.12:
The login panel of the C&C server

The application is capable of uninstalling any user-installed applications, including mobile security apps. The device’s precise location is available in real-time to the malicious actors, all without the victim knowing. The spyware also enables the threat actor to use phishing pages for harvesting credentials of Facebook, Instagram, Google, and Kakao Talk, just like the phishing pages shown in Figures.13-15. The threat actor uses the command “33” to send a phishing URL to the device, and PhoneSpy loads the page. Any credentials typed into the forms are sent back to the command and control server.

Figures.13-15: The phishing pages targeting Facebook, Google, and Instagram


Figure.16
: A collection of icons of some of the spyware applications

The Victims of the PhoneSpy Spyware Campaign

The Zimperium zLabs mobile threat research team identified 23 applications targeting South Korean citizens to date, infecting thousands of victims to this spyware campaign. These malicious Android apps are designed to run silently in the background, constantly spying on their victims without raising any suspicion. We believe the malicious actors responsible for PhoneSpy have gathered significant amounts of personal and corporate information on their victims, including private communications and photos.

Even though thousands of South Korean victims have fallen prey to the spyware campaign, it is unclear whether they have any connections with each other. But with the ability to download contact lists and send SMS messages on behalf of the victim, there is a high chance that the malicious actors are targeting connections of current victims with phishing links.


Figure.17:
The victimology map 

Zimperium vs. PhoneSpy Spyware

Zimperium zIPS customers are protected against PhoneSpy with our on-device z9 Mobile Threat Defense machine learning engine.

Zimperium on-device phishing classifiers detect the traffic from the domain https[:]//acd.kcpro.ga as malicious from inception with our machine learning-based technology, blocking all traffic to it and preventing attackers from taking effective control of any compromised devices.

All the compromised and malicious applications found were also reviewed using Zimperium’s app analysis platform, z3A. All these apps returned reports of high privacy and security risks to the end-user. Zimperium administrators can create risk policies preventing users from installing high-risk apps like PhoneSpy.

Key  privacy risks identified by our z3A service analysis PhoneSpy infected apps are:

  • Access to SMS messages, camera, call logs, contacts, and location, among others.
  • The capability of recording audio, video, and starting phone calls.
  • Use of MQTT library, which can be used to track the user.
  • Access device information such as phone number, device ID, if a call is active (and the phone number the call is being held with).
  • Tamper with calls, being able to modify the phone number being dialed.
  • Read/write access to the SD card.
  • Exposed API keys.

Key The main privacy risks identified by our z3A service analysis of PhoneSpy infected apps are:

  • Exposed services with no permissions assigned.
  • WebView enabled, which can be used to execute JavaScript code.
  • Malware detected by z9 engine.
  • The app is built with the debug flag.
  • Use of system-level permissions and accessibility permissions.
  • Can modify WiFi connections.
  • Have the capability to perform overlay attacks (one of the main techniques used by Banker Trojans).

To ensure your Android users are protected from PhoneSpy spyware, we recommend a quick risk assessment. Any application with PhoneSpy will be flagged as a Suspicious App Threat on the device and in the zConsole. Admins can also review which apps are sideloaded onto the device, increasing the mobile attack surface and leaving data and users at risk.

PhoneSpy Spyware’s Impact on Global Enterprises

The PhoneSpy Android spyware campaign puts enterprises at as much, if not more, risk than consumers. The rise of bring your own device (BYOD) policies has blurred the line between work and personal data and any compromise to the security of an enterprise-connected device puts all corporate data at risk. Spyware such as PhoneSpy has the capabilities to read corporate messages, install compromised versions of enterprise applications, and download locally stored data like documents and photos without the enterprise or end user knowing. The capability to turn on the mobile camera and microphone during in-person meetings is also a high risk to businesses. These capabilities, mixed with the common framework and approach of PhoneSpy, can impact an enterprise’s security, reveal critical and private data, and lead to loss of customers, research, and data.

Indicators of Compromise

C&C servers

  • 1.234.82[.]23
  • 1.234.82[.]31
  • 175.126.146[.]147
  • https[:]//acd.kcpro.ga

SHA-256 Hashes and Application Names

1b762680c64d851151a829e2679c68b4ea19aa825b6fe3866a191bf3d30fac70 Videos
4afbbc8247f0622bb7f40beeaff38083fe1514233c0e545b4ac11e17896548a2 Picture
7ca71565ac1f57725606fd92033928fbd727b810cd507f9d7b0ca2c89853abcf Secret TV
45d26f6d4a98ea352aa4411b861ddbee388546326567ce893124bbc8a0d1817b 영상 – videos
84d3e71dc27f7adfb9c6ac628dd240498059b82ec211c99e8ec63e3bc26240ba Daily Yoga
95de5f5533e6f9a7562e50b4f68bd5ce71227f52a1a9c15ee734cdfb59b27f1d 갤러리 – Gallery
208d68c431d58e6d311ae0f2574fab85a1205fc1597e10690116bf406eb5499c Vera
3125ba3f8ad308f93ecc2e167d4f4ecfccc6a1212795ac615e593dceff1ca795 동영상 – Videos
4687ef5f6b9398f2bf3ac84011afce3979145a42f29d35e8fd3ad1b086699952 갤러리 – Gallery
58195ad6606265c2d5d34f9b17d81daafc0a65551d8b83d9669a7e96ede786c1 내꺼사진 – My Picture
70176c319aa4ca24c4cbfdf2b80a8d5ca430fc8370e2515b79f3c3c52ed58dc1 음성지원 – Voice Support
1568520923f992612163a69d074580885deec03f2727824407f0371cc295aec5 Gallery
af5d676ceecd28c83b8962fc5db012cdada7812cddf856ae63f735a3efd695b7 갤러리 – Gallery
b3132e4cd475c381f2ec384b9055ee11ae80b529dcc78f03629106e2d12a50f6 Vera
b3333e2542a8d407d7ed6a2f0930d4372a84c9f95478d72ba1d6999c1c4ce74f 클라우드 – Cloud
beeb1010ca571221b0aa8604f1bf078331b06e378384f8651552b13aa20c9389 야동 – Porn
c6793fcb9c647d0439a5bbeec46b5e24afc1e55b8e980669b3c1726d6556c72a Vera
cf03a179b2b8d6a85a6ad3e5cd7405fe9a99c6ce89c6635d8c5d34bc9889b2ba Gallery
d4b6a0055fbaec51c6a2d5edd29eec7768a27b40a6da94223ded28df3726487d 1004 Yoga
d797bf2b4fd7a2cd38da819996e57b39b89ad0e65a0d9633ea332d8234368ce3 갤러리 – Gallery
d4428d5eb4f746b3d136d4dbeb3907c82a9ac7fa18efd037d616f2f11dc235ac 한나TV – Hannah TV
ef467f2389063e044237587ef12f8b0ae37d5b31c5b4efbf0928dfe5b648ed5a Gallery
ef29420420802265d3958e05c33badad17d982309bd6f877d15475e64c793692 보안카메라 – Security Camera

About Zimperium

Zimperium provides the only mobile security platform purpose-built for enterprise environments. With machine learning-based protection and a single platform that secures everything from applications to endpoints, Zimperium is the only solution to provide on-device mobile threat defense to protect growing and evolving mobile environments. For more information or to schedule a demo, contact us today.

Avatar photo
Malware Analyst. View the author's experience and accomplishments on LinkedIn.

Get started with Zimperium today