Recent findings from cybersecurity experts at Lookout have unveiled a concerning trend involving malware that targets Android devices, specifically designed to record phone calls and access personal photos. This malicious software is cleverly concealed within counterfeit versions of popular applications, including Telegram and Samsung Knox, a well-known mobile security platform.
Malware Overview
Two distinct strains of malware are at the forefront of these attacks: BoneSpy, which has been operational since 2021, and its more advanced counterpart, PlainGnome, identified earlier this year. Both strains are attributed to a group of cyber spies known as Gamaredon, believed to be affiliated with Russia’s Federal Security Agency (FSB). Their primary targets appear to be Russian-speaking Android users.
Experts have noted that BoneSpy is capable of a wide range of intrusive activities, including:
- Collecting text messages
- Recording audio and phone calls
- Capturing location data
- Taking pictures and screenshots
- Accessing browser history
- Reading notifications
PlainGnome, the more sophisticated successor, incorporates all of these features while adding layers of stealth. Notably, it records audio and phone calls only when the device’s screen is off or idle, significantly reducing the likelihood of detection by users. Alarmingly, neither strain has been found on Google Play, leading experts to believe that victims inadvertently install the malware themselves, often following social engineering attacks.
Understanding Social Engineering Attacks
Social engineering attacks represent a prevalent form of phishing scam, utilizing psychological manipulation to persuade individuals to divulge personal information or to click on malicious links. Once the malware is downloaded, it requests dangerous permissions, such as access to text messages and camera functions. Given that the malware masquerades as legitimate messaging and security applications, victims may unwittingly grant these permissions.
Signs of Infection
Google has provided a list of indicators that may suggest an Android device is infected with malware. Users should be vigilant for the following signs:
- Google signed you out of your account as a protective measure against malware.
- Suspicious signs such as persistent pop-up ads.
Device symptoms may include:
- Alerts regarding a virus or infected device
- Malfunctioning antivirus software
- A noticeable decrease in operating speed
- Unexpected loss of storage space
- General device malfunction or failure
Browser symptoms can manifest as:
- Virus alerts or notifications of an infected device
- Persistent pop-up ads and new tabs
- Recurring unwanted Chrome extensions or toolbars
- Uncontrolled browsing behavior, including redirects to unfamiliar sites
- Unauthorized changes to your Chrome homepage or search engine
Additionally, other symptoms may include:
- Your contacts receiving emails or social media messages from you that you did not send.
As the landscape of mobile security continues to evolve, vigilance and awareness remain paramount for users to protect themselves against these sophisticated threats.
