The Russia-linked state-sponsored menace actor tracked as Gamaredon has been attributed to 2 new Android adware instruments known as BoneSpy and PlainGnome, marking the primary time the adversary has been found utilizing mobile-only malware households in its assault campaigns.
“BoneSpy and PlainGnome goal former Soviet states and give attention to Russian-speaking victims,” Lookout stated in an evaluation. “Each BoneSpy and PlainGnome acquire knowledge reminiscent of SMS messages, name logs, cellphone name audio, pictures from gadget cameras, gadget location, and get in touch with lists.”
Gamaredon, additionally known as Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, is a hacking group affiliated with Russia’s Federal Safety Service (FSB).
Final week, Recorded Future’s Insikt Group revealed the menace actor’s use of Cloudflare Tunnels as a tactic to hide its staging infrastructure internet hosting malicious payloads reminiscent of GammaDrop.
It is believed that BoneSpy has been operational since at the least 2021. However, PlainGnome emerged solely earlier this 12 months. Targets of the marketing campaign presumably embrace Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan primarily based on VirusTotal submissions of the artifacts. There isn’t a proof at this stage that the malware was used to focus on Ukraine, which has been the group’s sole focus.
Again in September 2024, ESET additionally disclosed that Gamaredon unsuccessfully tried to infiltrate targets in a number of NATO international locations, specifically Bulgaria, Latvia, Lithuania, and Poland in April 2022 and February 2023.
Lookout has theorized that the concentrating on of Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan “could also be associated to worsening relations between these international locations and Russia because the outbreak of the Ukraine invasion.”
The attribution of the brand new malware to Gamaredon stems from the reliance on dynamic DNS suppliers and overlaps in IP addresses that time to command-and-control (C2) domains utilized in each cellular and desktop campaigns.
BoneSpy and PlainGnome share an important distinction in that the previous, derived from the open-source DroidWatcher adware, is a standalone software, whereas the latter acts as a dropper for a surveillance payload embedded inside it. PlainGnome can be a custom-made malware however one which requires the sufferer to grant it permission to put in different apps by REQUEST_INSTALL_PACKAGES.
Each surveillance instruments implement a broad vary of features to trace location, collect details about the contaminated gadget, and acquire SMS messages, name logs, contact lists, browser historical past, audio recordings, ambient audio, notifications, pictures, screenshots, and mobile service supplier particulars. Additionally they try to realize root entry.
The precise mechanism by which the malware-laced apps are distributed stays unclear, however it’s suspected to contain focused social engineering, masquerading themselves as battery cost monitoring apps, photograph gallery apps, a faux Samsung Knox app, and a totally functional-but-trojanized Telegram app.
“Whereas PlainGnome, which first surfaced this 12 months, has many overlaps in performance with BoneSpy, it doesn’t seem to have been developed from the identical code base,” Lookout stated.