Mobile Security and Cyber Espionage
The Russia-linked state-sponsored hacking group known as Gamaredon has been identified as the perpetrator behind two newly discovered Android spyware tools named BoneSpy and PlainGnome. This marks a significant milestone, as it’s the first time Gamaredon has deployed malware exclusively targeting mobile devices in its operations.
According to cybersecurity firm Lookout, "BoneSpy and PlainGnome target former Soviet states and primarily focus on Russian-speaking individuals. These spyware tools harvest data such as SMS messages, call logs, audio recordings of phone calls, device location, photos, and contact lists."
Who is Gamaredon?
Gamaredon, also referred to by aliases like Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, is a hacking group affiliated with Russia's Federal Security Service (FSB).
Recently, cybersecurity analysts from Recorded Future's Insikt Group revealed Gamaredon's use of Cloudflare Tunnels to obscure its infrastructure that delivers malicious payloads such as GammaDrop.
Key Details About BoneSpy and PlainGnome
- BoneSpy has been operational since at least 2021.
- PlainGnome emerged earlier this year (2024).
- Both tools have been observed targeting countries like Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan, based on submissions to VirusTotal.
- Notably, there’s no evidence indicating their use against Ukraine, which has been a primary target of Gamaredon in the past.
ESET previously reported in September 2024 that Gamaredon had attempted but failed to infiltrate NATO member states, including Bulgaria, Latvia, Lithuania, and Poland, during 2022 and early 2023.
Why Target Former Soviet States?
Lookout suggests that the focus on Central Asian countries such as Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan could be linked to deteriorating diplomatic relations between these nations and Russia following the invasion of Ukraine.
Technical Insights into the Spyware
The attribution of these new malware families to Gamaredon is based on several factors, including the use of dynamic DNS providers and overlapping IP addresses pointing to command-and-control (C2) domains shared between mobile and desktop campaigns.
Differences Between BoneSpy and PlainGnome
BoneSpy:
- Derived from the open-source Droid-Watcher spyware.
- Functions as a standalone application.
PlainGnome:
- Custom-built spyware.
- Acts as a dropper for another embedded surveillance payload.
- Requires victims to grant permissions, such as REQUEST_INSTALL_PACKAGES, to install additional malicious apps.
Capabilities of the Spyware Tools
Both BoneSpy and PlainGnome possess advanced surveillance features, allowing them to:
- Track device location.
- Collect SMS messages, call logs, contact lists, browser history, photos, screenshots, and audio recordings.
- Record ambient audio and capture notifications.
- Gather device-specific data, including cellular service provider details.
- Attempt to gain root access to infected devices.
How Are the Apps Distributed?
The exact method of distribution remains unclear. However, it’s suspected that Gamaredon uses social engineering tactics, disguising the malware as legitimate apps such as:
- Battery monitoring tools.
- Photo gallery apps.
- A fake Samsung Knox app.
- Trojanized versions of popular apps like Telegram.
Unique Characteristics
Although PlainGnome and BoneSpy share similar functionality, Lookout notes that PlainGnome was not developed using the same codebase as BoneSpy, highlighting the group's ability to diversify its malware arsenal.
Conclusion
Gamaredon’s deployment of BoneSpy and PlainGnome underscores its growing interest in mobile platforms as part of its broader espionage campaigns. The focus on Central Asia and the advanced capabilities of these spyware tools demonstrate the persistent threat posed by state-sponsored actors.
Stay vigilant and ensure your devices are secured to guard against such cyber threats.