# PhoneSpy: The App-Based Cyberattack Snooping South Korean Citizens **[blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/](https://blog.zimperium.com/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/)** November 10, 2021 [November 10, 2021 Aazim Yaswant](https://blog.zimperium.com/author/aazim-bill-se-yaswant/) **_Update November 22, 2021: It has been determined that this specific campaign is no_** _longer active. The command and control server has been taken down, and the_ _infected devices are no longer under the control of the attackers._ Many of the malware campaigns we have detected over the last year have been global at scale, targeting anyone with little regard to their location. Recently, we discovered and began monitoring the activity behind PhoneSpy, a spyware aimed at South Korean residents with Android devices. With more than a thousand South Korean victims, the malicious group behind this invasive campaign has had access to all the data, communications, and services on their devices. Unlike other spyware campaigns we have covered that take advantage of vulnerabilities on the device, PhoneSpy hides in plain sight, disguising itself as a regular application with purposes ranging from learning Yoga to watching TV and videos, or browsing photos. But in reality, the application is stealing data, messages, images, and remote control of Android ----- phones. The data stolen from victim devices ranged from personal photos to corporate communications. The victims were broadcasting their private information to the malicious actors with zero indication that something was amiss. While the victims have been limited to South Korea, PhoneSpy is an example of how malicious applications can disguise their true intent. When installed on victims’ devices, they leave personal and corporate data at risk. With mobile devices playing critical roles in distributed and remote work, it is no surprise that spyware campaigns like PhoneSpy are on the rise. Samples of PhoneSpy were not found in any Android app store, indicating that attackers are using distribution methods based on web traffic redirection or social engineering. Once in control, the attackers can access the camera to take pictures, record video, and audio, get precise GPS location, view pictures from the device, and more. Zimperium zLabs identified the PhoneSpy spyware app during routine threat research, and the zLabs team launched an investigation after identifying multiple related malicious applications. **_Disclosure: Due to the nature of this spyware campaign, Zimperium has notified and_** _submitted all relevant threat data to US and South Korean authorities. The Zimperium_ _team also reported to the host of the command and control server multiple times,_ _offering support in a takedown of the malicious services. At the time of this writing, the_ _PhoneSpy spyware campaign is still active._ In this blog, we will: Cover the capabilities of the Android spyware; Discuss the techniques used to collect and store data; and Show the communication with the C&C server to exfiltrate stolen data. ## What Can PhoneSpy Spyware Do? The mobile application poses a threat to Android devices by functioning as an advanced Remote Access Trojan (RAT) that receives and executes commands to collect and exfiltrate a wide variety of data and perform a wide range of malicious actions, such as: Complete list of the installed applications Steal credentials using phishing Steal images Monitoring the GPS location Steal SMS messages Steal phone contacts Steal call logs ----- Record audio in real-time Record video in real-time using front & rear cameras Access camera to take photos using front & rear cameras Send SMS to attacker-controlled phone number with attacker-controlled text Exfiltrate device information (IMEI, Brand, device name, Android version) Conceal its presence by hiding the icon from the device’s drawer/menu Upon infection, the victim’s mobile device will transmit accurate GPS locational data, share photos and communications, contact lists, and downloaded documents with the command and control server. Similar to other mobile spyware we have seen, the data stolen from these devices could be used for personal and corporate blackmail and espionage. The malicious actors could then produce notes on the victim, download any stolen materials, and gather intelligence for other nefarious practices. ## How Does PhoneSpy Spyware Work? The PhoneSpy spyware disguises itself as various lifestyle apps targeting Korean-speaking users. It is most likely distributed through web traffic redirection or social engineering as it has not been detected in Android stores, including third-party or regional stores. After installation, the application requests permissions and opens a phishing page that imitates the login page of the popular South Korean messaging app “Kakao Talk” to steal credentials. The application follows the typical behavior of spyware by asking for permissions to exercise its capabilities. ----- ----- ----- **_Figures.1,2: The list of permissions requested by one of the applications_** After installation and launch, the app displays a login page and attempts to steal the credentials for “Kakao” which can be used to login into other services in South Korea with the Single-Sign-On feature. ----- **_Figures.3-5: The phishing pages hosted by the threat actors_** In most of the discovered applications, the application’s user/victim interaction is limited to the above sign-on, only to receive an error message. Many of the applications are facades of a real app with none of the advertised user-based functionality. In a few other cases, like simpler apps that advertise as photo viewers, the app will work as advertised all while the PhoneSpy spyware is working in the background. ----- **_Figure.6: Dynamic loading of content from the remote server_** ----- ----- ----- ----- ----- **_Figures.7-10: The fake gallery website displayed by the app & the files hosted on it_** While these actions are taking place in the foreground, the spyware abuses its permissions and acts as a Remote Access Trojan, leaving the device open to access for the threat actors. The spyware makes sure to avoid data redundancy by only uploading the latest data created after the last upload, as seen in Figure.11. ----- **_Figure.11: SMS data collection and exfiltration to the C&C server_** The command and control server stores all the exfiltrated data and maintains a communication channel with the infected devices to send commands. The table of commands and the corresponding actions are shown in Table.1. **Command** **Action** 0 Upload phone information such as Phone.No, IMEI, Android version, and Model Name 1 Upload the entire contacts list ----- 2 Delete a contact matching by phone number 3 Upload all the SMS stored in the device 4 Upload the latest call logs since the last upload 5 Upload all the photos from the sdcard 6 Upload all the videos from the sdcard 7 Get real-time GPS location 8 Send an SMS to a phone number with content, both as directed by the C&C server 9 Take photos using the Front Camera & upload them to the C&C server 10 Take photos using the Rear Camera & upload them to the C&C server 11 Real-time video streaming using the Front camera 12 Real-time video streaming using the Rear camera 13 Set the duration for real-time audio recording 14 Upload the recorded audio files 16 Add call forwarding 17 Remove call forwarding 18 Update call forwarding 21 Remove blocklisting of a phone number as directed by the C&C server 22 Add blocklisting of a phone number as directed by the C&C server 24 Collect the list of installed applications, including the icon, app version, package name, and update date. 25 Uninstall an application matching by package name 28 Download an apk from the link sent by the C&C server and install the application as an update 30 Insert contact with name and phone number as directed by the C&C server 31 Delete all the SMS stored in the infected device 32 Delete all call logs stored in the infected device ----- 33 Open a URL sent by the C&C server used for harvesting credentials through phishing. **_Table.1: Supported commands and associated actions_** The command and control server has a web-based interface and is protected by an authentication mechanism using credentials, as seen in Figure.12. **_Figure.12: The login panel of the C&C server_** The application is capable of uninstalling any user-installed applications, including mobile security apps. The device’s precise location is available in real-time to the malicious actors, all without the victim knowing. The spyware also enables the threat actor to use phishing pages for harvesting credentials of Facebook, Instagram, Google, and Kakao Talk, just like the phishing pages shown in Figures.13-15. The threat actor uses the command “33” to send a phishing URL to the device, and PhoneSpy loads the page. Any credentials typed into the forms are sent back to the command and control server. ----- ----- ----- ----- ----- ----- **_Figure.16: A collection of icons of some of the spyware applications_** ## The Victims of the PhoneSpy Spyware Campaign The Zimperium zLabs mobile threat research team identified 23 applications targeting South Korean citizens to date, infecting thousands of victims to this spyware campaign. These malicious Android apps are designed to run silently in the background, constantly spying on their victims without raising any suspicion. We believe the malicious actors responsible for PhoneSpy have gathered significant amounts of personal and corporate information on their victims, including private communications and photos. Even though thousands of South Korean victims have fallen prey to the spyware campaign, it is unclear whether they have any connections with each other. But with the ability to download contact lists and send SMS messages on behalf of the victim, there is a high ----- chance that the malicious actors are targeting connections of current victims with phishing links. **_Figure.17: The victimology map_** ## Zimperium vs. PhoneSpy Spyware Zimperium zIPS customers are protected against PhoneSpy with our on-device z9 Mobile Threat Defense machine learning engine. Zimperium on-device phishing classifiers detect the traffic from the domain _https[:]//acd.kcpro.ga as malicious from inception with our machine learning-based_ technology, blocking all traffic to it and preventing attackers from taking effective control of any compromised devices. All the compromised and malicious applications found were also reviewed using Zimperium’s app analysis platform, z3A. All these apps returned reports of high privacy and security risks to the end-user. Zimperium administrators can create risk policies preventing users from installing high-risk apps like PhoneSpy. Key privacy risks identified by our z3A service analysis PhoneSpy infected apps are: Access to SMS messages, camera, call logs, contacts, and location, among others. The capability of recording audio, video, and starting phone calls. Use of MQTT library which can be used to track the user ----- Access device information such as phone number, device ID, if a call is active (and the phone number the call is being held with). Tamper with calls, being able to modify the phone number being dialed. Read/write access to the SD card. Exposed API keys. Key The main privacy risks identified by our z3A service analysis of PhoneSpy infected apps are: Exposed services with no permissions assigned. WebView enabled, which can be used to execute JavaScript code. Malware detected by z9 engine. The app is built with the debug flag. Use of system-level permissions and accessibility permissions. Can modify WiFi connections. Have the capability to perform overlay attacks (one of the main techniques used by Banker Trojans). To ensure your Android users are protected from PhoneSpy spyware, we recommend a [quick risk assessment. Any application with PhoneSpy will be flagged as a Suspicious App](https://www.zimperium.com/z3a-advanced-app-analysis) Threat on the device and in the zConsole. Admins can also review which apps are sideloaded onto the device, increasing the mobile attack surface and leaving data and users at risk. ## PhoneSpy Spyware’s Impact on Global Enterprises The PhoneSpy Android spyware campaign puts enterprises at as much, if not more, risk than consumers. The rise of bring your own device (BYOD) policies has blurred the line between work and personal data and any compromise to the security of an enterpriseconnected device puts all corporate data at risk. Spyware such as PhoneSpy has the capabilities to read corporate messages, install compromised versions of enterprise applications, and download locally stored data like documents and photos without the enterprise or end user knowing. The capability to turn on the mobile camera and microphone during in-person meetings is also a high risk to businesses. These capabilities, mixed with the common framework and approach of PhoneSpy, can impact an enterprise’s security, reveal critical and private data, and lead to loss of customers, research, and data. ## Indicators of Compromise **C&C servers** 1.234.82[.]23 1.234.82[.]31 175.126.146[.]147 ----- https[:]//acd.kcpro.ga **SHA-256 Hashes and Application Names** 1b762680c64d851151a829e2679c68b4ea19aa825b6fe3866a191bf3d30fac70 Videos 4afbbc8247f0622bb7f40beeaff38083fe1514233c0e545b4ac11e17896548a2 Picture 7ca71565ac1f57725606fd92033928fbd727b810cd507f9d7b0ca2c89853abcf Secret TV 45d26f6d4a98ea352aa4411b861ddbee388546326567ce893124bbc8a0d1817b 영상 – videos 84d3e71dc27f7adfb9c6ac628dd240498059b82ec211c99e8ec63e3bc26240ba Daily Yoga 95de5f5533e6f9a7562e50b4f68bd5ce71227f52a1a9c15ee734cdfb59b27f1d 갤러리 – Gallery 208d68c431d58e6d311ae0f2574fab85a1205fc1597e10690116bf406eb5499c Vera 3125ba3f8ad308f93ecc2e167d4f4ecfccc6a1212795ac615e593dceff1ca795 동영상 – Videos 4687ef5f6b9398f2bf3ac84011afce3979145a42f29d35e8fd3ad1b086699952 갤러리 – Gallery 58195ad6606265c2d5d34f9b17d81daafc0a65551d8b83d9669a7e96ede786c1 내꺼사 진 – My Picture 70176c319aa4ca24c4cbfdf2b80a8d5ca430fc8370e2515b79f3c3c52ed58dc1 음성지 원 – Voice Support 1568520923f992612163a69d074580885deec03f2727824407f0371cc295aec5 Gallery af5d676ceecd28c83b8962fc5db012cdada7812cddf856ae63f735a3efd695b7 갤러리 – Gallery b3132e4cd475c381f2ec384b9055ee11ae80b529dcc78f03629106e2d12a50f6 Vera ----- b3333e2542a8d407d7ed6a2f0930d4372a84c9f95478d72ba1d6999c1c4ce74f 클라우 드 – Cloud beeb1010ca571221b0aa8604f1bf078331b06e378384f8651552b13aa20c9389 야동 – Porn c6793fcb9c647d0439a5bbeec46b5e24afc1e55b8e980669b3c1726d6556c72a Vera cf03a179b2b8d6a85a6ad3e5cd7405fe9a99c6ce89c6635d8c5d34bc9889b2ba Gallery d4b6a0055fbaec51c6a2d5edd29eec7768a27b40a6da94223ded28df3726487d 1004 Yoga d797bf2b4fd7a2cd38da819996e57b39b89ad0e65a0d9633ea332d8234368ce3 갤러리 – Gallery d4428d5eb4f746b3d136d4dbeb3907c82a9ac7fa18efd037d616f2f11dc235ac 한나TV – Hannah TV ef467f2389063e044237587ef12f8b0ae37d5b31c5b4efbf0928dfe5b648ed5a Gallery ef29420420802265d3958e05c33badad17d982309bd6f877d15475e64c793692 보안카 메라 – Security Camera ## About Zimperium Zimperium provides the only mobile security platform purpose-built for enterprise environments. With machine learning-based protection and a single platform that secures everything from applications to endpoints, Zimperium is the only solution to provide ondevice mobile threat defense to protect growing and evolving mobile environments. For [more information or to schedule a demo, contact us today.](https://www.zimperium.com/contact-us) -----