Pegasus-Like Spyware Targets South Korean CitizensPhoneSpy: New Campaign From Updated Older Malware
A new espionage campaign has allowed an unidentified threat actor to access data, including communications and services, on thousands of devices belonging to South Koreans, reports Aazim Yaswant, an Android malware analyst at mobile security company Zimperium.
The threat actors have been using a spyware called PhoneSpy on the victims' mobile devices in an ongoing campaign, Zimperium's mobile threat research team, zLabs, notes in a blog post.
Zimperium says it has notified and submitted all unredacted research data to the relevant U.S. and South Korean authorities.
The motive of the attack may include espionage and intellectual property theft to leverage personal information for ransom and phishing activities, says former CIA cyberthreat analyst Rosa Smothers, senior vice president of cyber operations at security firm KnowBe4.
"The fact that it is focused on South Korean citizens - of course, their neighbor to the north is an obvious suspect," she tells ISMG.
The Spy in Your Phone
Although similar to NSO Group's Pegasus spyware in terms of the capabilities it allows attackers, PhoneSpy does not exploit vulnerabilities in mobile devices or operating systems and is not found on Android app stores either - including third-party or regional stores -says Yaswant. "Attackers are using distribution methods based on web traffic redirection or social engineering," he says.
PhoneSpy is an advanced remote access Trojan that is connected to a command-and-control server, from which it receives all its execution commands, the researchers say. The research team has identified 23 applications carrying the malware, disguised as apps offering services such as TV streaming, photo management and yoga instruction, they add.
In most of the applications discovered by the researchers, the app requests permissions post-installation and opens a phishing page that imitates the login page of popular South Korean messaging app KakaoTalk to steal credentials, the researchers say.
The threat actors use KakaoTalk because the platform's single sign-on feature can be used to log into other services in South Korea, the researchers say. "This way, they get access to a majority of other apps and corresponding data," adds Yaswant.
According to Yaswant, attackers can leverage the access to:
- Exfiltrate data, including emails and other sensitive information;
- Exfiltrate a complete list of installed applications and steal credentials using phishing;
- Record or livestream video or audio;
- View SMS messages, including two-factor authentication messages;
- Send SMS messages as the device’s owner;
- Edit contact information in the address book;
- Enable call forwarding to whichever number or device the attacker chooses;
- View the GPS location of the device.
All the exfiltration and execution commands are sent by the C&C server, which also has a web-based interface and is protected by an authentication mechanism using credentials, the researchers note. In all, there are 33 different commands and corresponding actions, they add.
For example, command 33 sends a phishing URL to the device, as shown in the image below, and PhoneSpy loads the page. Credentials typed into these forms are sent back to the C&C server, where they are stored without the users' knowledge, the researchers say.
The Zimperium team tells ISMG that it has reported the host of the C&C server multiple times and offered support to authorities to take down the malicious services.
Data Collection Implications
The malicious actors responsible for PhoneSpy have gathered a significant amount of personal and corporate information on their victims, including private communications and photos, the researchers say. Although Zimperium was unable to establish a strong connection between the confirmed victims, "the ability to download contact lists and send SMS messages on behalf of the victim raises the chances of the malicious actors targeting contacts and connections of current victims with phishing links," the researchers add.
"Many people trust the security and privacy of chat applications [such as KakaoTalk] that promise end-to-end encryption. However, when the victim explicitly allows the installation of the malware through other sources and not the official app stores, and is likely tricked into providing significant permissions in the process, these protections of encryption are likely bypassed, giving the attackers access to these conversations," says Erich Kron, security awareness advocate at cybersecurity firm KnowBe4.
"This information can be used against the victims to extort them for money or into doing a task for the cybercriminals. By having access to these conversations, the attackers may even be able to extort money from people whose phones were not even the infected ones," he tells ISMG.
Zimperium has listed indicators of compromise and SHA-256 hashes of respective malicious applications in its blog to help with quick identification of the spyware.
People need to be more aware of the risks of granting the absurdly broad permissions requested by applications, says Chris Clements, vice president of solutions architecture at cybersecurity firm Cerberus Sentinel.
"There needs to be much more concerted awareness campaigns to educate users of these risks. Expecting nontechnical people to inherently understand the nuances of these risks doesn’t make sense. The onus needs to be on governments and manufacturers to ensure citizens and users have a clear understanding of the risks posed from their devices," Clements tells ISMG.
In addition, Google/Android could do more to emphasize the risk of granting permissions to an app not vetted by official stores and present a more strenuous warning when the app requests permissions, especially if they appear to be overly broad, he adds.
PhoneSpy is not new, threat analyst Smothers tells ISMG. The Android-based malware app has, in fact, been around since at least 2015, she says. "Given the changes in Android since then, the threat actors have made some dramatic updates to the malware - likely to match the most widely used Android OS, version 10," she says.
The original PhoneSpy malware injected code into Google Play store apps, which was then reposted into third-party app stores, taking advantage of Android's side-loading capability, she says. "From there, the threat actors were able to escalate to admin rights, giving them full access. This previous iteration then uploaded data to a specific URL."