Keypoints
- Malicious Android/iOS info-stealer (detected as Android/SpyAgent) active since early October and observed on 200+ devices, all in South Korea.
- Initial access via SMS lures, escalation to LINE messenger, then delivery of phishing site links that impersonate legitimate app websites.
- Phishing pages mimic official sites (e.g., Camtalk) and force direct APK/IPA downloads from remote servers rather than redirecting to official app stores.
- Android samples request permissions to read SMS and contacts; iOS samples require contact access and use enterprise certificates (shared via Scarlet) to bypass manual trust prompts on devices that already trusted the certificate.
- Malware collects android_id and phone number to identify victims, then exfiltrates contacts and SMS to C2 servers (e.g., api.sweetchat23[.]com, somaonvip[.]com).
- Multiple phishing domains and file hashes were published as IOCs, indicating a multi-themed campaign (social apps, photo albums, yoga/fitness) hosted on the same IP address.
MITRE Techniques
- [T1566] Phishing – Campaign uses SMS and messenger links to deliver phishing sites: (‘They initially approach victims via SMS message. … That link is a phishing site where malicious apps will be downloaded.’)
- [T1204] User Execution – Social engineering coerces users to download and run sideloaded apps from phishing pages: (‘When users eventually download and run the app through this phishing site, their contact information and SMS messages are sent to the malware author.’)
- [T1036] Masquerading – Phishing pages copy legitimate app site layout and content to appear authentic (example: Camtalk impersonation): (‘It uses the same text, layout, and buttons as the legitimate Camtalk website, but instead of redirecting users to the official app store, it forces them to download the malicious application directly.’)
- [T1071] Application Layer Protocol – Malware communicates with C2 endpoints over web protocols to send collected data: (‘hxxps://api.sweetchat23[.]com/ … C2 server’)
- [T1041] Exfiltration Over C2 Channel – Stolen identifiers, contacts, and SMS are uploaded to attacker-controlled servers: (‘all of the user’s contact information and SMS messages are sent to the C2 server.’)
Indicators of Compromise
- [URL] Phishing sites and download pages – hxxps://jinyoga[.]shop/, hxxps://mysecret-album[.]com/, and 8 more phishing domains
- [C2 URL] Command-and-control endpoints – hxxps://api.sweetchat23[.]com/, hxxps://somaonvip[.]com/ (used to receive device identifiers and exfiltrated data)
- [SHA256] Android APK samples – ed0166fad985d252ae9c92377d6a85025e9b49cafdc06d652107e55dd137f3b2, 2b62d3c5f552d32265aa4fb87392292474a1c3cd7f7c10fa24fb5d486f9f7665, and 2 more hashes
- [SHA256] iOS IPA / Mach-O binaries – 97856de8b869999bf7a2d08910721b3508294521bc5766a9dd28d91f479eeb2e (iOS IPA), 04721303e090160c92625c7f2504115559a124c6deb358f30ae1f43499b6ba3b (iOS Mach-O), and 2 more hashes
McAfee observed the campaign’s distribution chain starting with SMS lures that move victims to LINE messenger, where attackers send links pointing to phishing pages masquerading as legitimate app sites (notably Camtalk). Those pages host multiple themed fake apps (social, photo album, fitness) and force device-specific binaries to download directly from attacker-controlled servers instead of redirecting to Google Play or the Apple App Store.
On Android, the delivered APKs request READ_CONTACTS and SMS-related permissions during installation; the code captures android_id and the device phone number (getDeviceInfo()), then enumerates and packages contacts and SMS for exfiltration. On iOS, authors utilize shared enterprise certificates (distributed via third-party stores like Scarlet) so that devices that have already trusted the certificate will automatically verify and run the sideloaded IPA; iOS samples request contact access and ask users to input their phone number to map victims on the C2.
Collected data and identifiers are sent to C2 endpoints (examples: hxxps://api.sweetchat23[.]com/, hxxps://somaonvip[.]com/). McAfee telemetry links multiple phishing domains and published SHA256 hashes for APK and IPA/Mach-O samples; detection is reported as Android/SpyAgent for the Android variants. Read more: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fake-android-and-ios-apps-steal-sms-and-contacts-in-south-korea/