New Android Spyware Campaign Targets South Koreans via AWS

Oct. 1, 2024, 8:20 p.m.

Description

A sophisticated Android spyware campaign targeting South Koreans has been uncovered by Cyble Research and Intelligence Labs. Active since June 2024, the malware exploits an Amazon AWS S3 bucket as its Command and Control server to exfiltrate sensitive personal data including SMS messages, contacts, images, and videos. The spyware, which has evaded detection by major antivirus solutions, mimics legitimate applications and operates with minimal permissions. Upon installation, it collects data and stores it in JSON files before transmitting it to the C&C server. The campaign highlights a growing trend of attackers using trusted cloud services to host malicious infrastructure, making detection more challenging.

External References

https://thecyberexpress.com/android-spyware-campaign/
https://otx.alienvault.com/pulse/66fc4ca51bba70df1949f171
Tags
android
spyware
south korea
cloud security
data exfiltration
aws
mobile malware
2024-10-01
stealth techniques

Date

  • Created: Oct. 1, 2024, 7:25 p.m.
  • Published: Oct. 1, 2024, 7:25 p.m.
  • Modified: Oct. 1, 2024, 8:20 p.m.

Indicators

  • c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
  • a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
  • 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647
  • https://refundkorea.cyou/REFUND%20KOREA.apk
  • https://bobocam365.icu/downloads/pnx01.apk
  • refundkorea.cyou
  • bobocam365.icu
Download all indicators here!

Attack Patterns

  • T1486
  • T1082
  • T1105
  • T1083
  • T1140
  • CVE-2017-11882
  • CVE-2024-21893
  • CVE-2024-21887
  • CVE-2023-46805
  • CVE-2021-44228

Additional Informations

  • Telecommunications