The campaign, dubbed PhoneSpy, was discovered by researchers at mobile security firm Zimperium, who found the spyware inside 23 Android apps.
Once installed, the researchers observed that the spyware will stealthily exfiltrate data from the victim’s device, including login credentials, messages, precise granular location and images.
“The PhoneSpy Android spyware campaign puts enterprises at as much, if not more, risk than consumers. The rise of bring your own device (BYOD) policies has blurred the line between work and personal data and any compromise to the security of an enterprise-connected device puts all corporate data at risk,” reasons Zimperium.
Attacking the mobile workforce
In their breakdown of the spyware, the researchers note that they found PhonySpy was capable of uninstalling any user-installed applications, including mobile security apps.
They also fathom that the trojan apps are most likely distributed through web traffic redirection or social engineering, since they couldn’t find any trace of the spyware-infested apps on Google Play Store or any third-party or regional Android stores as well.
Interestingly, PhoneSpy is currently only targeting South Korean residents, and has already taken more than a thousand victims. However, the researchers argue that with mobile devices playing critical roles in distributed and remote work, spyware campaigns such as PhoneSpy are a global concern.
Zimperium has shared their findings with the US and South Korean authorities. However, despite multiple reports to the web hosting company that powers the command and control (C2) server used by the campaign, the malicious server is still online.
Protect your mobile devices with these best Android antivirus apps