Skip to main content

These Android spyware apps are spreading like wildfire

Trojan
(Image credit: Iaremenko Sergii / Shutterstock)

Cybersecurity researchers have uncovered a new spyware campaign that hides in plain sight on victims’ Android devices under the garb of legitimate lifestyle apps. 

The campaign, dubbed PhoneSpy, was discovered by researchers at mobile security firm Zimperium, who found the spyware inside 23 Android apps

Once installed, the researchers observed that the spyware will stealthily exfiltrate data from the victim’s device, including login credentials, messages, precise granular location and images.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“The PhoneSpy Android spyware campaign puts enterprises at as much, if not more, risk than consumers. The rise of bring your own device (BYOD) policies has blurred the line between work and personal data and any compromise to the security of an enterprise-connected device puts all corporate data at risk,” reasons Zimperium.

Attacking the mobile workforce

In their breakdown of the spyware, the researchers note that they found PhonySpy was capable of uninstalling any user-installed applications, including mobile security apps. 

They also fathom that the trojan apps are most likely distributed through web traffic redirection or social engineering, since they couldn’t find any trace of the spyware-infested apps on Google Play Store or any third-party or regional Android stores as well.

Interestingly, PhoneSpy is currently only targeting South Korean residents, and has already taken more than a thousand victims. However, the researchers argue that with mobile devices playing critical roles in distributed and remote work, spyware campaigns such as PhoneSpy are a global concern.

Zimperium has shared their findings with the US and South Korean authorities. However, despite multiple reports to the web hosting company that powers the command and control (C2) server used by the campaign, the malicious server is still online. 

Protect your mobile devices with these best Android antivirus apps

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.