Keypoints
- AwSpy spyware discovered targeting South Korean Android users.
- Disguised as a recording app to deceive users.
- Uses Amazon AWS as the Command and Control (C&C) server for operations.
- Gathers sensitive data such as contacts and SMS messages from infected devices.
- Requests extensive permissions during installation (SMS, calls, contacts, photos).
- Stores data in JSON files (phone.json and sms.json) and uploads to the C&C server.
- Users are advised to use reputable security products and avoid installing apps from third-party sources.
MITRE Techniques
- [T1041] Data Exfiltration β Utilizes cloud services (Amazon AWS) to transfer stolen data. βUtilizes cloud services (Amazon AWS) to transfer stolen data.β
- [T1003] Credential Dumping β Gathers sensitive information such as contacts and SMS messages. βGathers sensitive information such as contacts and SMS messages.β
- [T1071] Application Layer Protocol β Communicates with C&C server using HTTP/S protocols. βCommunicates with C&C server using HTTP/S protocols.β
Indicators of Compromise
- [Package Name] context β mobile.example.phone.b
- [Hash] context β fa073ca9ae9173bb5f0384471486ccea073ca9ae9173bb5f0384471486cce
- [Domain] context β phone-books.s3.ap-northeast-2[.]amazonaws.com
Read more: https://www.hendryadrian.com/awspy-new-spyware-targets-south-korean-android-users/