A sophisticated malware campaign named SarangTrap targets Android and iOS users through over 250 malicious apps and 80 phishing domains disguised as dating and social media services, stealing sensitive data such as contacts, images, and SMS messages. The campaign employs emotional manipulation and evolving tactics to evade detection and remains highly active, particularly in South Korea. #SarangTrap #zLabs #TA #AndroidMalware #iOSMalware
Keypoints
- The SarangTrap campaign involves over 250 malicious Android apps and 80+ phishing domains impersonating dating, cloud storage, and car service platforms.
- The malware deceives users with a fake UI and requires an invitation code before requesting sensitive permissions, helping it evade detection.
- The Android variant exfiltrates contacts, device identifiers, private images, and SMS messages to a command-and-control server.
- The iOS version uses a deceptive mobile configuration profile to gain access to contacts, photos, and the photo library.
- Newer malware variants omit SMS permissions in manifests while retaining SMS exfiltration code, indicating active development to bypass security tools.
- Over 70 phishing domains are actively distributing malware; many are indexed by Google, increasing user trust via search results.
- The campaign heavily targets South Korea and uses emotional manipulation tactics to entice victims into installing the malware.
MITRE Techniques
- [T1655.001] Masquerading: Match Legitimate Name or Location – Malware pretends to be a genuine app (‘Malware pretending to be a genuine app’).
- [T1426] System Information Discovery – The malware collects basic device information (‘The malware collects basic device info.’).
- [T1420] File and Directory Discovery – Enumerates files and directories on external storage (‘Enumerates files and directories on external storage.’).
- [T1422] System Network Configuration Discovery – Collects IP and SIM card information (‘Collects IP and SIM information.’).
- [T1636.003] Protected User Data: Contact List – Exports the device’s contacts (‘It exports the device’s contacts.’).
- [T1533] Data from Local System – Collects files from external storage (‘Collects files from external storage.’).
- [T1437.001] Application Layer Protocol: Web Protocols – Uses HTTP protocol to communicate with C2 server (‘Uses HTTP protocol to communicate with C&C server.’).
- [T1646] Exfiltration Over C2 Channel – Sends exfiltrated data over command-and-control channels (‘Sending exfiltrated data over C&C server.’).
- [T1582] SMS Control – Reads SMS messages on infected devices (‘It can read SMS messages.’).
Indicators of Compromise
- [Android APK Samples] Over 250 unique malicious Android applications targeting users – examples not publicly listed.
- [Phishing Domains] 88 unique domains with 70+ actively distributing malware and serving as phishing sites – multiple domains indexed by Google targeting dating and file sharing.
- [iOS Profiles] Malicious iOS mobile configuration profiles used for data access – specific profiles undisclosed.
Read more: https://zimperium.com/blog/the-dark-side-of-romance-sarangtrap-extortion-campaign