Article Details

Gamaredon Deploys Android Spyware "BoneSpy" and "PlainGnome" in Former Soviet States. The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns. "BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims," Lookout said in an analysis. "Both BoneSpy and PlainGnome collect data such as SMS messages, call logs, phone call audio, photos from device cameras, device location, and contact lists." Gamaredon, also called Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, is a hacking group affiliated with Russia's Federal Security Service (FSB). Last week, Recorded Future's Insikt Group revealed the threat actor's use of Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting malicious payloads such as GammaDrop. It's believed that BoneSpy has been operational since at least 2021. On the other hand, PlainGnome emerged only earlier this year. Targets of the campaign possibly include Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan based on VirusTotal submissions of the artifacts. There is no evidence at this stage that the malware was used to target Ukraine, which has been the group's sole focus. Back in September 2024, ESET also disclosed that Gamaredon unsuccessfully attempted to infiltrate targets in several NATO countries, namely Bulgaria, Latvia, Lithuania, and Poland in April 2022 and February 2023. Lookout has theorized that the targeting of Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan "may be related to worsening relations between these countries and Russia since the outbreak of the Ukraine invasion." The attribution of the new malware to Gamaredon stems from the reliance on dynamic DNS providers and overlaps in IP addresses that point to command-and-control (C2) domains used in both mobile and desktop campaigns. BoneSpy and PlainGnome share a crucial difference in that the former, derived from the open-source DroidWatcher spyware, is a standalone application, whereas the latter acts as a dropper for a surveillance payload embedded within it. PlainGnome is also a custom-made malware but one that requires the victim to grant it permission to install other apps through REQUEST_INSTALL_PACKAGES. Both surveillance tools implement a broad range of functions to track location, gather information about the infected device, and collect SMS messages, call logs, contact lists, browser history, audio recordings, ambient audio, notifications, photos, screenshots, and cellular service provider details. They also attempt to gain root access. The exact mechanism by which the malware-laced apps are distributed remains unclear, but it's suspected to involve targeted social engineering, masquerading themselves as battery charge monitoring apps, photo gallery apps, a fake Samsung Knox app, and a fully functional-but-trojanized Telegram app. "While PlainGnome, which first surfaced this year, has many overlaps in functionality with BoneSpy, it does not appear to have been developed from the same code base," Lookout said.