Security researchers discovered a new spyware campaign called PhoneSpy. This spyware disguises itself as an application that looks legit but can secretly steal data and tap phones.
Researchers from cybersecurity firm Zimperium found the PhoneSpy spyware lurking in 23 Android apps. The applications used to spread this spyware vary, ranging from yoga guide applications, photo galleries, photo editing, and others.
"This malicious Android application is designed to run silently in the background, continuously spying on its victims without arousing suspicion," said Zimperium researcher Aazim Yaswant, as quoted by Ars Technica, Friday (12/11/2021).
"We believe the malicious actors responsible for PhoneSpy have collected a large amount of personal and corporate information, including communications and private photos."
Since the installation process, these applications have been suspicious because they ask for access permissions very much, starting from the camera, contacts, location, microphone, SMS, and others.
Once the phone is infected, this spyware secretly steals important information from the phone such as login credentials, messages, location, and photos. PhoneSpy spyware can also access victims' cameras to take photos and record videos without their knowledge.
Zimperium warns that the data collected by this spyware can be used for personal and corporate extortion to espionage. Spyware is also difficult to detect, unless the victims are diligent in monitoring their web traffic.
Here's a complete list of things the PhoneSpy spyware can do on an infected phone:
Collect a complete list of installed apps
Stealing credentials via phishing
Stealing photos
Monitor GPS location
Steal SMS
Stealing phone contacts
Stealing phone call logs
Record audio in real-time
Record video in real-time using the front and rear cameras
Access the camera to take photos using the front and rear cameras
Sending SMS to a phone number controlled by the attacker
Retrieve device information (IMEI, brand, device name, Android version)
Hiding its shape by removing the app icon from the menu
Zimperium said the PhoneSpy spyware had already infected 1,000 victims. Currently all the victims are located in South Korea, but it is not impossible that there are people in other countries who are also targeted.
Zymperium found no evidence that the 23 apps containing the PhoneSpy spyware were available on the Google Play Store or third-party app stores. They suspect this spyware is spread using web traffic redirection or social engineering. The 23 applications are:
Videos
Picture
Secret TV
- videos
Daily Yoga
- Gallery
Vera (3 apps with the same name)
- Videos
- Gallery
- My Picture
- Voice Support
Gallery (3 apps with the same name)
- Gallery
- Cloud
- Porn
1004 Yoga
- Gallery
TV - Hannah TV
- Security Camera
The capabilities of this spyware are very sophisticated, and are similar to the Pegasus malware developed by the NSO Group. The Pegasus malware itself is sold by the NSO Group to governments around the world to spy on criminals, terrorists, dissidents, and activists.
Zimperium doesn't know who is behind the PhoneSpy spyware, but they have reported this spyware campaign to the US and South Korean authorities.
As of Wednesday morning, the PhoneSpy spyware campaign was still active. Android users are also advised to be careful when downloading applications, especially if they come from unknown sources or developers.