Undetected Android Spyware Targeting Individuals In South Korea
2024-9-23 16:1:25 Author: cyble.com(查看原文) 阅读量:10 收藏

Cyble analyzes stealthy Android spyware targeting South Koreans, using an Amazon AWS S3 bucket to store exfiltrated data, including SMSs, contacts, and media.

Key Takeaways

  • Since June 2024, a new Android Spyware campaign has been identified targeting individuals in South Korea, leveraging an Amazon AWS S3 bucket as its Command and Control (C&C) server.
  • The Spyware is capable of exfiltrating sensitive information from an infected device, including SMSs, contact lists, images, and videos.
  • The stolen data, stored openly on the S3 bucket, suggests poor operational security, potentially leading to unintended leaks of sensitive information.
  • The spyware operates with a simple source code and few key permissions, demonstrating that even simple malware can be highly effective in exfiltrating sensitive data.
  • The malware remained undetected by all major antivirus solutions. Four unique samples were identified, exhibiting zero detection rates across all engines.

Overview

Cyble Research and Intelligence Labs (CRIL) has uncovered a previously undetected Android spyware campaign targeting individuals in South Korea, which has been active since June 2024. The spyware leverages an Amazon AWS S3 bucket as its Command and Control (C&C) server and is designed to exfiltrate sensitive data from compromised devices, including contacts, SMS messages, images, and videos.

The spyware samples observed disguise themselves as live video apps, adult apps, refund apps, and interior design applications. Below are the icons used by the malware.

Figure 1 – Icons used by malware
Figure 1 – Icons used by the malware

Two malicious URLs distributing the spyware have been identified:

  • hxxps://refundkorea[.]cyou/REFUND%20KOREA.apk
  • hxxps://bobocam365[.]icu/downloads/pnx01.apk
Figure 2 – Opendir hosting malware
Figure 2 – Opendir hosting malware

Since its emergence, this malware has remained undetected by all security solutions, allowing it to operate stealthily. CRIL has identified four unique samples linked to this spyware, all exhibiting zero detection rates across major antivirus engines.

Figure 3 – Malware sample with zero detection
Figure 3 – Malware sample with zero detection

All identified spyware samples were observed communicating with the same Command and Control (C&C) server hosted on an Amazon S3 bucket: hxxps://phone-books[.]s3.ap-northeast-2.amazonaws.com/. Our analysis revealed that the stolen data, including contacts, SMS messages, images, and videos, was openly stored in the S3 bucket (C&C server), further confirming that the malware specifically targeted individuals in South Korea.

Figure 4 – Exposed data on S3 bucket
Figure 4 – Exposed data on S3 bucket
Figure 5 – Stolen SMSs saved on S3 bucket
Figure 5 – Stolen SMSs saved on S3 bucket
Figure 6 – Stolen contacts saved S3 bucket
Figure 6 – Stolen contacts saved S3 bucket

The attackers’ poor operational security resulted in the unintentional exposure of sensitive data. We reported the misuse of the AmazonAWS S3 bucket to Amazon Trust and Safety, which disabled access to the URL and made the data no longer accessible. Furthermore, our investigation found no other C&C servers utilizing S3 buckets or exposing stolen data linked to this campaign.

Figure 7 – Access disabled after reporting abuse
Figure 7 – Access disabled after reporting abuse

Technical Details

After installation, all spyware samples display a single screen with a message in Korean tailored to the app’s theme.

Figure 8 – Screen loaded upon installation
Figure 8 – Screen loaded upon installation

The source code of this spyware is relatively simple. It utilizes a minimal set of permissions, including “READ_SMS,” “READ_CONTACTS,” and “READ_EXTERNAL_STORAGE,” to carry out its malicious operations. The manifest file specifies only the main activity, which triggers the malicious functionality upon execution.

Figure 9 – Manifest file
Figure 9 – Manifest file

Upon installation, the spyware requests the necessary permissions; once granted, it executes its malicious functions. These functions, responsible for collecting data from the infected device, are executed within the API method “onRequestPermissionsResult”, as illustrated in the image below.

Figure 10 – Malware executing malicious functions in onRequestPermissionResult method
Figure 10 – Malware executing malicious functions in onRequestPermissionResult method

To exfiltrate images and videos, the malware queries the device’s content provider and uploads each file to the C&C server via the endpoint “/media/+filename”. This behavior is evident in the exposed data, as shown in Figure 3.

Figure 11 – Collecting images and videos
Figure 11 – Collecting images and videos

The malware gathers contacts and SMS messages from the infected device and stores them in two separate files: phone.json for contacts and sms.json for SMS data. These files are then transmitted to the C&C server, as demonstrated in the figure below.

Figure 12 Saving contacts into a JSON file
Figure 12 – Saving contacts into a JSON file
Figure 13 – Sending JSON file to the CC server
Figure 13 – Sending JSON file to the C&C server

Conclusion

This campaign highlights the growing sophistication of Android spyware targeting individuals in South Korea. By utilizing an Amazon AWS S3 bucket for Command and Control infrastructure, the threat actors were able to maintain stealth and evade detection for an extended period. This spyware strain utilizes a minimalist approach—leveraging only a few key permissions to exfiltrate sensitive data such as contacts, SMS messages, images, and videos—and demonstrates how even simple malware can be extremely effective.

It is concerning that attackers are increasingly turning to trusted cloud services like AWS as part of their malicious infrastructure. This tactic allows them to bypass traditional security measures and stay under the radar.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

TacticTechnique IDProcedure
Initial Access (TA0027)Phishing (T1660)Malware distribution via phishing site
Collection (TA0035)Protected User Data: Contact List (T1636.003)The malware collects contacts from the infected device
Collection (TA0035)Protected User Data: SMS Messages
(T1636.004)
Steals SMSs from the infected device
Collection (TA0035)Data from the Local System (T1533)Malware steals images and videos from an infected device
Command and Control (TA0037)Application Layer Protocol: Web Protocols (T1437)Malware uses HTTPS protocol for C&C communication
Exfiltration (TA0036)Exfiltration Over C2 Channel (T1646)Sending exfiltrated data over C&C server

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
afc2baf71bc16bdcef943172eb172793759d483470cce99e542d750d2ffee851 63952a785e2c273a4dc939adc46930f9599b9438 1d7bbb5340a617cd008314b197844047SHA256 SHA1 MD5Spyware hashes
d9106d06d55b075757b2ca6a280141cbdaff698094a7bec787e210b00ad04cde 46eb3ba5206baf89752fe247eff9ce64858f4135 68e6401293e525bf583bade1c1a36855SHA256 SHA1 MD5Spyware hashes
a8e398fc4b483a1779706d227203647db3e04d305057fdc7f3f6a4318677b9c8 d07a165b1b7c177c2f57b292ae1b2429b6187e45 16139baf56200f3975e607f89e39419aSHA256 SHA1 MD5Spyware hashes
3608f739c66c9ca18628fecded6c3843630118baaab80e11a2bacee428ef01b3 1fc56a6d34f1a59a4987c3f8ff266f867e80d35c fa073ca9ae9173bb5f0384471486cce2SHA256 SHA1 MD5Spyware hashes
hxxps://phone-books.s3.ap-northeast-2.amazonaws.com/URLC&C server
hxxps://bobocam365[.]icu/downloads/pnx01.apk
hxxps://refundkorea[.]cyou/REFUND%20KOREA.apk
URLDistribution URL

Related


文章来源: https://cyble.com/blog/undetected-android-spyware-targeting-individuals-in-south-korea/
如有侵权请联系:admin#unsafe.sh