Russian state-backed hacking group, Gamaredon, has been linked to the development and deployment of two sophisticated Android malware families, BoneSpy and PlainGnome, designed to spy on and steal data from mobile devices. These threats, discovered by cybersecurity firm Lookout, specifically target Russian-speaking individuals in former Soviet states.
Gamaredon, also known as “Shuckworm,” is believed to operate under the auspices of Russia’s Federal Security Service (FSB), aligning its operations with the country’s national geopolitical interests. While the group has previously used a range of malware tools, BoneSpy and PlainGnome mark the first documented cases of Gamaredon malware targeting mobile devices, particularly Android.
BoneSpy
BoneSpy, which has been operational since 2021, is primarily distributed through Telegram applications that have been infected with malware or by impersonating Samsung Knox. BoneSpy’s development reached its zenith between January and October 2022, and it was based on the open-source “DroidWatcher” surveillance program. The malware can conduct a diverse array of surveillance operations, including:
- Collecting SMS messages (sender, content, and timestamps)
- Recording ambient audio and phone conversations
- Capturing GPS and cell tower-based location data
- Taking pictures via the camera and capturing screenshots
- Accessing the user’s web browsing history
- Extracting names, numbers, emails, and call logs from the contact list
- Monitoring clipboard content and device notifications
PlainGnome
PlainGnome, which emerged in 2024, is a more advanced and custom-built Android surveillance malware. Unlike BoneSpy, which was based on open-source code, PlainGnome features a two-stage installation process, involving a dropper and a payload, enhancing its stealth capabilities. Its development saw significant progress from January to October 2024.
Like BoneSpy, PlainGnome can collect data similar to that of BoneSpy but with added features to help decrease detection. Notably, it employs Jetpack WorkManager to leak volumes of information only when the device is not in use to avoid getting noticed. Besides, it launches only when the device is inactive and the screen is turned off, avoiding detection of the microphone activation indicators.
Despite these advancements, PlainGnome lacks code obfuscation, making it identifiable through analysis. Upon installation, the malware asks for risky permission including access to SMS, contact list, call logs, and camera. This is often disguised under the guise of a legitimate communication app, tricking victims into granting the permissions.
Delivery and Detection
Neither BoneSpy nor PlainGnome, have been found on Google Play, which suggests that the malware is spread through other third-party websites, usually by manipulating people into installing the apps. This targeted operation is indicative of the fact that Gamaredon especially targets individuals in its surveillance activities.
Google also assured that Google Play Protect scans and deletes all variants of BoneSpy and PlainGnome, further protecting users of Android devices. The discovery of these malware families underscores the growing focus of Gamaredon on mobile device surveillance, a trend that is likely to continue as mobile phones become increasingly integral to personal and professional activities. With the rising dependence on mobile devices, they are becoming valuable targets for cyber espionage groups like Gamaredon.
