Threat Research

“Undetected Android Spyware Targeting Individuals in South Korea”

Cyble

A new Android spyware campaign targeting individuals in South Korea has been active since June 2024, using an Amazon AWS S3 bucket as its C2 server to exfiltrate data. The malware operates with a simple codebase, disguises itself as legitimate apps, and has remained undetected by major antivirus engines. #UndetectedAndroidSpyware #SouthKorea #AmazonS3 #C2 #SMS #Contacts #CRIL

Keypoints

  • New Android spyware campaign targeting South Korea since June 2024.
  • Utilizes Amazon AWS S3 bucket for Command and Control (C&C) operations.
  • Exfiltrates sensitive data including SMS, contacts, images, and videos.
  • Stolen data stored openly on the S3 bucket, indicating poor operational security.
  • Malware disguises itself as legitimate apps to evade detection.
  • Four unique samples identified with zero detection rates across major antivirus engines.

MITRE Techniques

  • [T1660] Phishing – Malware distribution via phishing site. “Malware distribution via phishing site”
  • [T1636.003] Protected User Data: Contact List – The malware collects contacts from the infected device. “The malware collects contacts from the infected device”
  • [T1636.004] Protected User Data: SMS Messages – Steals SMSs from the infected device. “Steals SMSs from the infected device”
  • [T1533] Data from the Local System – Malware steals images and videos from an infected device. “Malware steals images and videos from an infected device”
  • [T1437] Application Layer Protocol: Web Protocols – Malware uses HTTPS protocol for C&C communication. “Malware uses HTTPS protocol for C&C communication”
  • [T1646] Exfiltration Over C2 Channel – Sending exfiltrated data over C&C server. “Sending exfiltrated data over C&C server”

Indicators of Compromise

  • [URL] C2 server – https://phone-books.s3.ap-northeast-2.amazonaws.com/
  • [URL] Distribution URLs – https://bobocam365.icu/downloads/pnx01.apk, https://refundkorea.cyou/REFUND%20KOREA.apk
  • [Hash] Spyware hashes – afc2baf71bc16bdcef943172eb172793759d483470cce99e542d750d2ffee851, 63952a785e2c273a4dc939adc46930f9599b9438, and 1d7bbb5340a617cd008314b197844047
  • [Hash] More spyware hashes – d9106d06d55b075757b2ca6a280141cbdaff698094a7bec787e210b00ad04cde, 46eb3ba5206baf89752fe247eff9ce64858f4135

Read more: https://cyble.com/blog/undetected-android-spyware-targeting-individuals-in-south-korea/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint