Gamaredon, the Russian cyber espionage group, has been caught using Android spyware for the first time. Security researchers have discovered two new malware families, named BoneSpy and PlainGnome, being used to target mobile devices.
These spyware apps are designed to steal information from Android smartphones. BoneSpy has been active since 2021, whereas PlainGnome is a more recent addition, launching in 2024. Both appear to target Russian-speaking people, particularly those living in former Soviet countries.
Gamaredon, also known by various aliases including Shuckworm, Aqua Blizzard, and Primitive Bear, is believed to operate in alignment with Russia’s geopolitical interests.
The discovery of BoneSpy and PlainGnome shows a move towards attacks that are specifically targeted at mobile devices, even if this group has a history of deploying a variety of malware. These tools enable Gamaredon to spy on and steal data from Android devices.
Cybercriminals used the BoneSpy and PlainGnome malware on Russian-speaking people in Central Asian countries including Uzbekistan and Kazakhstan. These attacks, most likely driven by geopolitical tensions following the invasion of Ukraine, targeted former Soviet nations. Although early 2022 data suggests that businesses may have been targeted, no Ukrainian victims have been named.
ESET claimed in September 2024 that Gamaredon made two failed attempts in April 2022 and February 2023 to target sites in NATO nations, including Bulgaria, Latvia, Lithuania, and Poland.
Lookout’s security researchers connected Gamaredon to both BoneSpy and PlainGnome. Gamaredon has been using similar domain names, shared internet infrastructure (IP addresses), and dynamic DNS services like ddns[.]net since 2017 to develop this connection. This discovery connects these mobile surveillance tools to Gamaredon’s existing desktop hacking activities.
It appears that BoneSpy is based on the open-source Russian spying program DroidWatcher. PlainGnome, on the other hand, is not built on open-source technology, although it does share BoneSpy’s design aspects and command-and-control servers (C2).
PlainGnome is a newly developed Android surveillance tool built from scratch. Lookout identified significant code changes between January and October 2024, indicating that it is being actively developed. It is more flexible and difficult to detect due to its two-stage installation approach, which separates the dropper and payload.
PlainGnome can gather a lot of data, just like BoneSpy. But it also comes with useful tools like Jetpack WorkManager. This allows it to deliver stolen data only while the device is inactive, minimising the risk of discovery.
Victims will not notice microphone activity because it even has a recording mode that only turns on when the device is idle and the screen is off.
Although the exact method of propagation of these malicious apps is unknown, researchers believe targeted social engineering is involved. These applications mimic commonplace tools, such as photo galleries and battery monitoring apps. The list also includes a fake Samsung Knox app and a functional but compromised version of Telegram.
Despite advancements in surveillance techniques, Lookout highlights that the spyware lacks code obfuscation, allowing for quick analysis of its true nature. It searches for risky permissions, like access to cameras, phone records, contacts, and SMS, once it is activated. It can easily trick users into giving these permissions by posing as a communication app.
BoneSpy and PlainGnome are spyware programs that are not on Google Play. These files are usually downloaded from harmful websites. Attackers trick victims into visiting these sites using social engineering.
Gamaredon has been focussing more on Android smartphones, according to researchers. This change shows how the group’s strategies have changed, expanding its ability to spy on mobile devices.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.
