An active espionage campaign targeting South Korean users has been identified by security experts. According to their findings, the attackers aim to compromise the users' Android devices by infecting them with the PhoneSpy malware threat - an advanced RAT (Remote Access Trojan) capable of performing numerous intrusive actions on the breached devices. It seems that the main goal of hackers is to gather massive amounts of sensitive personal or corporate data from their victims.
So far, cybersecurity experts have discovered 23 different weaponized applications carrying the threat. It should be noted that none of these applications has managed to breach the official Google Play store and, as such, are mainly being spread via third-party app platforms. The initial vector of compromise is believed to be phishing links distributed among the target users. The chosen applications pretend to be useful tools offering messaging, photo management, yoga instructions, content streaming and more.
PhoneSpy may not be among the most sophisticated RATs out there but its capabilities should not be underestimated. Once users have downloaded and executed the APK file of one of the fake applications, it will trigger the deployment of PhoneSpy on their devices. The first action taken by the threat is to display a phishing page designed to appear as if it is coming from a legitimate service, such as the Kakao Talk messaging application The fake page will try to convince the user to give it numerous device permissions.
PhoneSpy will then establish its surveillance routines and will begin gathering private information from the device. The RAT can track the user's location via the device's GPS, take images, record audio or video by hijacking the device's microphone and camera, intercept incoming SMS messages, establish call forwarding, collect the call logs and contact lists, and even send arbitrary messages from the device using the victim's account and credentials. The vast amount of collected data will be transmitted to the Command-and-Control (C2, C&C) servers of the attackers.
To remain hidden on the device, PhoneSpy employs obfuscation techniques for its code. It also will remove the icon of the fake application from the screen of the phone, a common concealment action observed in these RAT threats. PhoneSpy may even try to get rid of mobile security solutions present on the device by attempting to uninstall them.