Uzbekistan, Kazakhstan, Kyrgyzstan, and Tajikistan have been targeted by Russian state-backed threat operation Gamaredon — also known as Armageddon, BlueAlpha, Aqua Blizzard, and Primitive Bear — in attacks involving the novel BoneSpy and PlainGnome Android surveillance tools as part of its first-ever campaign with mobile-only malware, The Hacker News reports.
Malicious battery charge tracking and photo gallery apps, as well as a phony Samsung Knox app and trojanized Telegram app, have been leveraged to distribute the similar BoneSpy and PlainGnome spyware, which facilitate compromise of device location, call logs, contact lists, SMS messages, and other sensitive information, according to a Lookout analysis. Additional findings revealed Droid-Watcher-based BoneSpy to have been operating as a standalone app while PlainGnome served as a spyware dropper. "While PlainGnome, which first surfaced this year, has many overlaps in functionality with BoneSpy, it does not appear to have been developed from the same code base," said Lookout. Such a report comes after Gamaredon was discovered by Recorded Future's Insikt Group to have obscured GammaDrop malware compromise through the exploitation of Cloudflare Tunnels.