Android is an extremely popular mobile operating system. It's versatile, very capable, and it is also very customizable.
But that flexibility comes with a huge drawback: security issues. Not that Android is less secured, but the way its ecosystem works, allows malicious actors to slip through the cracks. And this time, Android users are having yet another malware to worry about.
Called the 'PhoneSpy', the malware that was first discovered by researchers at Zimperium, has been found in at least 23 apps.
The malware laced itself to appear like legitimate apps, including a Yoga companion app, the Kakao Talk messaging app, an image gallery browser, a photo editing tool, and more.
And with that many apps, the malware is already infecting thousands of devices.
"These malicious Android apps are designed to run silently in the background," Zimperium said in a blog post, "constantly spying on their victims without raising any suspicion. We believe the malicious actors responsible for PhoneSpy have gathered significant amounts of personal and corporate information on their victims, including private communications and photos."
PhoneSpy can do all that because it has extensive control over infected devices.
Just like apps in general, the PhoneSpy-infected apps ask for permissions upon installation.
But in its case, the amount of permissions it requires, is huge.
Once granted, the malware is free to do things as it pleases, "with little to no interruption.” the researchers said.
For example, the malware can be used to steal call logs, text messages, user locations, photos, videos, and more. It can even take pictures, and send text messages, and tamper with phone calls among other things.
Apart from the spyware functionality, some of the apps can also try to steal people's credentials by displaying fake login pages for various sites.
The apps can also exfiltrate device information (IMEI, Brand, device name, Android version).
Making it even more worrying, the malware can hide the apps it used to infect the device to make it harder for anyone to detect, and can also install additional apps by itself.
While the researchers are not sure of the PhoneSpy-infected apps are targeting specific people, organizations, or industries, but what is certain, most victims come from South Korea.
"With more than a thousand South Korean victims, the malicious group behind this invasive campaign has had access to all the data, communications, and services on their devices," Zimperium researcher said.
Furthermore, the spectrum of the stolen data is wide enough to support almost any malicious activity.
Zimperium noted that the stolen information could be used to blackmail victims or facilitate phishing attempts.
"The victims were broadcasting their private information to the malicious actors with zero indication that something was amiss."
"Many of the applications are facades of a real app with none of the advertised user-based functionality," the researchers explained. "In a few other cases, like simpler apps that advertise as photo viewers, the app will work as advertised all while the PhoneSpy spyware is working in the background."
"Similar to other mobile spyware we have seen, the data stolen from these devices could be used for personal and corporate blackmail and espionage," Zimperium explained. "The malicious actors could then produce notes on the victim, download any stolen materials, and gather intelligence for other nefarious practices."
From the amount of data it can steal, PhoneSpy resembles the Pegasus, the Israeli-made malware that has been used to spy on high-profile lawyers, activists, government figures, and journalists.
"PhoneSpy and other examples of mobile spyware show that these toolsets and frameworks can be broken down and rebuilt over and over again with updated code and capabilities, giving the attackers the upper hand. And it's only increasing in popularity for everyone from nation states targeting dissidents to corporations spying on competition due to the lack of advanced security surrounding most of these critical devices."
The researchers at Zimperium said that the 23 malicious apps associated with the spyware are not found within Google Play Store or in "third-party or regional stores."
Instead, the researchers believe that the apps are "most likely distributed through web traffic redirection or social engineering."
This can include social media, forums, websites, and also torrents.
A potential distribution method may be via SMS sent by the compromised device to its contact list since the malware is capable.