Skip to main content

Multi-platform spyware tracks users across Windows and Android

spy
(Image credit: Shutterstock / rogistok)

While investigating an ongoing malware campaign, cybersecurity researchers have discovered new spyware with variants that work on both Android devices and Windows computers.

Named Chinotto, the malware was discovered by researchers at Kaspersky, who believe it is being used by a state-sponsored threat actor known as ScarCraft to keep tabs on North Korean defectors, journalists who cover North Korea-related news, and others.

“The actor utilized three types of malware with similar functionalities: versions implemented in PowerShell, Windows executables and Android applications….Therefore, the malware operators can control the whole malware family through one set of command and control scripts,” note the researchers.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

The investigations revealed that the threat actor distributed the malware through a spear-phishing attack, which they perpetrated after compromising acquaintances of the victim using stolen social media or email credentials.  

Potent spy

The investigations revealed that, while the current campaign began some time in March 2021, there were several older variants of the malware dating back to mid-2020.

After compromising a host, the threat actors unleashed multiple malware strains to gain control over the host. Interestingly, in one instance, they waited a good six months after compromising a host before deploying Chinotto. 

Based on their analysis of Chinotto, the researchers believe that it not only enables attackers to spy on their victims via screenshots, but can also give them the ability to control the compromised devices, open a backdoor to exfiltrate data, and install additional malware.

Furthermore, the investigation revealed that the attackers fiddle around with the capabilities of the malware in what appears to be an attempt to thwart traditional signature-based detection.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.