espionage campaign Archives

AppWizard

March 12, 2025

Spyware in bogus Android apps is attributed to North Korean group

Researchers from Lookout have identified a malware strain named KoSpy, linked to North Korean state-sponsored hackers, specifically the advanced persistent threat group ScarCruft (APT37). KoSpy targets Android devices to surveil Korean and English-speaking users and has been found on the Google Play Store and third-party app stores, disguised as utility applications. The malware can harvest sensitive information, including call logs, text messages, files, audio recordings, screenshots, and user location data. Google has removed all infected applications from its platform, confirming that the latest version was taken down before installations occurred. KoSpy first emerged in March 2022, with new samples appearing as recently as last year. The applications associated with KoSpy often have Korean titles and support both English and Korean languages. KoSpy shares infrastructure with another North Korean hacking group, Kimsuky (APT43), which has conducted spearphishing attacks. ScarCruft has targeted South Korean users and expanded its reach to countries including Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and several Middle Eastern nations. In January, ScarCruft was linked to an espionage campaign against media organizations and academics, and in October, it was connected to a malware operation in Southeast Asia.

AppWizard

March 12, 2025

North Korean government hackers snuck spyware on Android app store

A report from cybersecurity firm Lookout reveals that North Korean hackers have uploaded Android spyware, named KoSpy, onto the Google Play app store, which has been downloaded over ten times. The spyware masquerades as a file manager and is designed for surveillance, collecting data such as SMS messages, call logs, device location, files, keystrokes, Wi-Fi details, installed apps, audio recordings, images, and screenshots. Google has removed the identified apps from the Play Store and deactivated associated Firebase projects. Lookout also found instances of KoSpy on the third-party app store APKPure. The campaign appears targeted at individuals in South Korea who speak English or Korean, with links to North Korean hacking groups APT37 and APT43.

AppWizard

December 7, 2024

FBI warns users to encrypt text messages for cybersecurity. Here’s how to do it

The FBI has advised smartphone users to encrypt text messages, especially when communicating between Apple and Android devices, due to a cyber espionage campaign linked to hackers from the People's Republic of China. These hackers have targeted telecommunications infrastructure and stolen sensitive customer call records. Standard text messages between Apple and Android devices lack encryption, while messages between two devices of the same platform are secure. Users are encouraged to use secure messaging apps like WhatsApp and Signal, which provide end-to-end encryption. To use WhatsApp, users must download the app, accept terms, verify their phone number, and set up their profile. For Signal, users follow a similar process of downloading the app, verifying their phone number, creating a PIN, and setting up their profile. Both apps require Wi-Fi or cellular data for operation.

AppWizard

December 5, 2024

Warning: These 12 Android Apps Could Be Listening to Your Conversations

Smartphones have become essential tools for communication and financial management, but they also expose users to privacy risks. Cybersecurity investigations have found that certain Android applications may secretly record conversations and steal personal information. A report by cybersecurity firm ESET identified malicious apps distributed via Google Play and third-party channels that masquerade as legitimate tools. One tactic used by hackers involves initiating romantic dialogues on platforms like Facebook Messenger or WhatsApp to gain victims' trust before persuading them to install infected apps, such as those containing the VajraSpy Trojan. Malicious applications fall into three groups: 1. Standard Messaging Apps with Hidden Trojans: Apps like Hello Chat, MeetMe, and Chit Chat request access to contacts and phone numbers while secretly gathering sensitive data. 2. Apps Exploiting Accessibility Features: Apps like Wave Chat use Android’s accessibility features to intercept communications from secure applications, eavesdropping on conversations and capturing notifications. 3. The Single Non-Messaging App: Nidus, a news application, requests sensitive information despite lacking messaging capabilities. A list of 12 identified malicious apps includes Rafaqat, Privee Talk, MeetMe, Let’s Chat, Quick Chat, Chit Chat, YohooTalk, TikTalk, Hello Chat, Nidus, GlowChat, and Wave Chat. Six of these were available on the Google Play Store and had over 1,400 downloads before removal. To protect privacy, users should uninstall suspicious apps, change passwords, enable two-factor authentication, run security scans, and exercise caution when downloading apps.

AppWizard

November 19, 2024

Remove these 12 Android apps that capture your conversations

Certain Android applications have been identified as covertly capturing conversations and personal data without user awareness. A cyber espionage campaign uncovered by ESET revealed that twelve malicious apps were distributed through the Google Play Store and alternative channels, designed to mimic legitimate applications. These apps include: 1. Rafaqat 2. Privee Talk 3. MeetMe 4. Let’s Chat 5. Quick Chat 6. Chit Chat 7. YohooTalk 8. TikTalk 9. Hello Chat 10. Nidus 11. GlowChat 12. Wave Chat The first six apps were available on the Google Play Store and had over 1,400 downloads each before being removed. The malicious apps can steal contacts, SMS messages, call logs, and more, with some leveraging Android’s accessibility features to intercept communications from secure platforms. Users are advised to uninstall these apps immediately and take steps to protect their privacy, including changing passwords and enabling two-factor authentication.

AppWizard

October 23, 2024

Delete These 12 Android Apps That Record Your Conversations – Jason Deegan

Security researchers at ESET have identified twelve malicious Android apps capable of recording audio in the background and other intrusive actions. Six of these apps were distributed through the Google Play Store, while the other six were disseminated through less direct means. One tactic used by hackers involves posing as romantic interests on messaging platforms to persuade targets to download infected apps containing the VajraSpy Trojan. The malicious apps fall into three categories: 1. Infected messaging apps that steal personal information and run a Trojan in the background. 2. Apps that exploit accessibility features to intercept communications on WhatsApp and Signal, with one app, Wave Chat, capable of recording phone calls and ambient sounds. 3. A disguised news app that requests personal information and can intercept contacts and files. The identified malicious apps to uninstall include Rafaqat, Privee Talk, MeetMe, Let’s Chat, Quick Chat, Chit Chat, YohooTalk, TikTalk, Hello Chat, Nidus, GlowChat, and Wave Chat. The first six were downloaded over 1,400 times from the Google Play Store before being removed.

Winsage

October 14, 2024

OilRig Exploits Windows Kernel Flaw in Espionage Campaign Targeting UAE and Gulf

The Iranian threat actor known as OilRig is exploiting a patched privilege escalation vulnerability (CVE-2024-30088) in the Windows Kernel as part of a cyber espionage campaign targeting the United Arab Emirates and the Gulf region. OilRig, also referred to as Earth Simnavaz and by other aliases, employs advanced tactics including a backdoor that exploits Microsoft Exchange servers for credential theft. Their recent operations involve a previously undocumented implant for exfiltrating credentials and the use of a web shell for initial access to vulnerable web servers. They utilize the ngrok remote management tool for persistence and movement within networks. The exploitation of the privilege escalation vulnerability allows the delivery of a backdoor called STEALHOOK, which transmits harvested data via the Exchange server. OilRig has also employed a password filter policy DLL (psgfilter.dll) to extract sensitive credentials. This group has a history of targeting critical infrastructure in geopolitically sensitive areas to maintain a persistent presence for further attacks.

AppWizard

September 27, 2024

SilentSelfie Exploited 25 Websites To Deploy Malicious Android Application

Researchers uncovered a cyber espionage campaign called “SilentSelfie” targeting Kurdish communities, exploiting 25 compromised websites with four variants of malicious JavaScript. The campaign, active since late 2022, utilized watering hole attacks and a covert Android application disguised as a news app to collect sensitive data, including location and contacts. The attackers employed obfuscation techniques and used compromised web servers for communication. A total of 21 Kurdish websites were affected, primarily linked to “Rojava” and Kurdish political entities. The campaign remained undetected for over 18 months, with potential links to Turkish intelligence, Syrian government agencies, and the Kurdistan Regional Government of Iraq. Compromised sites included ‘RojNews’ and ‘YPG Rojava.’

AppWizard

April 13, 2024

Researchers discover espionage campaign targeting Indian users via fake messaging apps – The Statesman

A cyber espionage campaign named 'eXotic Visit' targets Android users in India and Pakistan. The campaign disguises itself through fake messaging applications containing the XploitSPY malware that can extract personal data and evade detection by security tools. Several apps have been removed from Google Play, and approximately 380 victims have been affected by the campaign.

AppWizard

April 10, 2024

New XploitSPY Android Malware Attacking Indian Users Mimic as Messaging Apps

- ESET researchers have uncovered an espionage campaign called eXotic Visit targeting Android users in India and Pakistan. - The campaign disguises the XploitSPY malware as harmless messaging applications to deceive users. - The malware integrates with chat functionality of messaging apps, making it difficult to detect by security tools. - Approximately 380 victims have been ensnared by the malware. - Users are advised to download apps from reputable sources, stay informed about cyber threats, use security software, and check app permissions to protect themselves.