A Russian-linked state-sponsored threat tracked as Gamaredon has been attributed to two new Android spyware called BoneSpy and PlainGnomefor the first time, an adversary was found to be using a mobile-only malware family in its attacks.
“BoneSpy and PlainGnome Target Former Soviet Countries and Focus on Russian-Speaking Victims.” — Lookout said in the analysis. “Both BoneSpy and PlainGnome collect data such as SMS messages, call logs, phone conversation audio, photos from device cameras, device location, and contact lists.”
Hammeredonalso known as Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, is a hacking group affiliated with Russia’s Federal Security Service (FSB).
Insikt Group with Recorded Future last week revealed threat actors’ use of Cloudflare tunnels as a tactic to hide their staging infrastructure containing malicious payloads such as GammaDrop.
BoneSpy is believed to have been around since at least 2021. PlainGnome, on the other hand, only came out earlier this year. The campaign’s possible targets are Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan, based on VirusTotal’s submission of artifacts. At this stage, there is no evidence that the malware was used against Ukraine, which was exclusively the group’s focus.
Back in September 2024, ESET also disclosed that Gamaredon had unsuccessfully attempted to infiltrate targets in several NATO countries, namely Bulgaria, Latvia, Lithuania and Poland in April 2022 and February 2023.
Lookout theorized that the attack on Uzbekistan, Kazakhstan, Tajikistan and Kyrgyzstan “could be related to the deterioration of relations between these countries and Russia after the invasion of Ukraine.”
The attribution of the new Gamaredon malware comes from the trust of dynamic DNS providers and overlaps in IP addresses pointing to the command and control (C2) domains used by both mobile and desktop companies.
BoneSpy and PlainGnome share an important difference in that the former is derived from open source DroidWatcher spyware, is a standalone application, while the latter acts as a dropper for its embedded surveillance payload. PlainGnome is also a specially crafted malware, but it requires the victim’s permission to install other programs via REQUEST_INSTALL_PACKAGES.
Both tracking tools implement a wide range of features to track location, collect information about the infected device and collect SMS messages, call logs, contact lists, browser history, audio recordings, ambient sound, notifications, photos, screenshots and cellular carrier. details. They also try to gain root access.
The exact mechanism by which the malicious apps are distributed remains unclear, but it is suspected to involve targeted social engineering by posing as battery monitoring apps, photo gallery apps, fake Samsung Knox apps, and fully functional but trojanized apps Telegram.
“While PlainGnome, which first appeared this year, has a lot of overlap in functionality with BoneSpy, it doesn’t appear to have been developed on the same code base,” Lookout said.
