Recent research by Lookout Threat Lab has identified two Android surveillance families, BoneSpy and PlainGnome, attributed to Sandcat, a threat actor linked to Uzbekistanβs intelligence service. These malware families primarily target Russian-speaking victims in Central Asian countries, enabling extensive surveillance capabilities on compromised devices. Affected: Android devices, users in Uzbekistan, Kazakhstan, Tajikistan, Kyrgyzstan.
Keypoints :
- BoneSpy and PlainGnome are attributed to Sandcat, linked with the State Security Service of Uzbekistan.
- BoneSpy is derived from the Russian open-source spy tool DroidWatcher.
- PlainGnome utilizes a two-stage deployment method, mimicking legitimate applications.
- Both families target primarily Russian-speaking victims across Central Asia.
- Surveillance capabilities include location tracking, access to messages, call recordings, and more.
- BoneSpy samples evolved using trojanized Telegram apps for distribution.
- PlainGnome employs a lightweight initial stage to install the actual surveillance payload.
- Lookout researchers continue to monitor and analyze these threats, indicating ongoing development.
MITRE Techniques :
- Access to Device Location (T1083) β BoneSpy tracks device location via GPS and cell information.
- Data Exfiltration Over Command and Control Channel (T1041) β Information is sent to actor-controlled servers through XMPP.
- OS Credential Dumping (T1003) β BoneSpy accesses clipboard contents for sensitive data.
- Input Data Manipulation (T1009) β PlainGnome collects SMS messages, call logs, and photos.
- Access to Application Data (T1074) β PlainGnome uses Jetpack WorkManager to collect data during idle state.
Indicator of Compromise :
- [URL] llkeyvost.ddns[.]net
- [URL] fiordmoss.ddns[.]net
- [Hash] 5bf384e687da92562fcbabac390a88110ddb2755
- [URL] goos[.]pw
- [IP Address] 34.98.99[.]30
Full Story: https://www.lookout.com/threat-intelligence/article/gamaredon-russian-android-surveillanceware