December 13, 2024 at 12:49PM
Russian cyberspies Gamaredon are using two Android spyware families, BoneSpy and PlainGnome, to target Russian-speaking individuals in former Soviet states. BoneSpy has been active since 2021, while PlainGnome emerged in 2024. Both malware types collect extensive data from mobile devices, highlighting Gamaredon’s evolved tactics in digital surveillance.
**Meeting Takeaways:**
1. **Discovery of Malware**: Russian cyber espionage group Gamaredon has been identified using two Android spyware families, ‘BoneSpy’ (active since 2021) and ‘PlainGnome’ (emerged in 2024), to spy on and extract data from mobile devices in former Soviet states.
2. **Target Demographic**: Both malware families specifically target Russian-speaking individuals in former Soviet territories, reflecting Gamaredon’s alignment with Russia’s national interests.
3. **Malware Details**:
– **BoneSpy**:
– Delivered through trojanized Telegram apps and by impersonating Samsung Knox.
– Developed from the open-source ‘DroidWatcher’, with notable activity between January and October 2022.
– Capabilities include SMS collection, audio recording, GPS tracking, photo capturing, browsing history access, contact extraction, and notification reading.
– **PlainGnome**:
– A custom surveillance malware with significant development observed in 2024.
– Utilizes a stealthy two-stage installation process and includes advanced features to minimize detection, such as exfiltrating data only when the device is idle.
– Has similar data collection capabilities as BoneSpy but avoids alerting users with microphone activation indicators.
4. **Security Concerns**:
– Both malware families are not available on Google Play and are likely installed through social engineering tactics directing victims to malicious websites.
– Users can be deceived into granting dangerous permissions under the guise of essential communication apps.
5. **Strategic Focus**: Gamaredon’s increasing emphasis on Android device surveillance indicates a strategic evolution in their tactics to exploit the growing reliance on mobile devices for daily activities, making them key targets for espionage.
6. **Lack of Obfuscation**: Current versions of both malware do not employ code obfuscation, allowing for relatively straightforward analysis to identify their nature.