| Category | Details |
|---|---|
| Threat Actors | Gamaredon (aka Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, Winterflounder), linked to Russia’s Federal Security Service (FSB). |
| Campaign Overview | Gamaredon attributed to Android spyware tools BoneSpy and PlainGnome, marking their first use of mobile-only malware families. Likely operational since 2021 (BoneSpy) and 2024 (PlainGnome). |
| Target Regions | Former Soviet states: Uzbekistan, Kazakhstan, Tajikistan, Kyrgyzstan. Prior unsuccessful campaigns in NATO countries: Bulgaria, Latvia, Lithuania, Poland. |
| Methodology | Use of dynamic DNS providers, overlaps in IP addresses for C2 domains, social engineering (disguised apps like battery monitors, gallery apps, fake Samsung Knox, trojanized Telegram). |
| Product Targeted | Mobile devices running Android. |
| Malware Reference | BoneSpy: Standalone spyware derived from Droid-Watcher; PlainGnome: Custom malware acting as a dropper for surveillance payloads, requiring REQUEST_INSTALL_PACKAGES permission. |
| Tools Used | BoneSpy, PlainGnome, dynamic DNS, Cloudflare Tunnels for staging infrastructure (distributing payloads like GammaDrop). |
| Vulnerabilities Exploited | Attempts to gain root access on infected devices, leveraging permissions to install other apps. |
| TTPs | - Collects SMS messages, call logs, contacts, device location, browser history, photos, screenshots. - Records audio (phone and ambient). - Tracks notifications, cellular service details. |
| Attribution | Based on dynamic DNS usage, IP address overlaps, and functional similarities between mobile and desktop campaigns. |
| Recommendations | - Strengthen app vetting procedures. - Raise awareness about social engineering risks. - Deploy Android threat protection solutions. - Monitor for suspicious app permissions and root access attempts. |
| Source | The Hackers News |
Read full article: https://thehackernews.com/2024/12/gamaredon-deploys-android-spyware.html
The above summary has been generated by an AI language model
Related posts:
BlueAlpha Attack Detection: russia-affiliated Hacking Collective Abuses Cloudflare Tunnels to Distribute GammaDrop Malware
1,400 Pegasus spyware infections detailed in WhatsApp’s lawsuit filings
Scammer Black Friday offers: Online shopping threats and dark web
'PopeyeTools' marketplace for stolen credit cards disrupted by feds
'PopeyeTools' marketplace for stolen credit cards disrupted by feds
Leave a Reply