Russian Spyware: Threat Actors Target Former Soviet States

As per recent media reports, a Russian state-sponsored threat actor has been linked with the use of two Android spyware tools. The tools used by the Russian spyware hacker have been identified as BoneSpy and PlainGnome. In this article, we’ll focus on analyzing both of these tools, the payload, and more. Let’s begin! 

Russian Spyware: Initial Discovery And Overview 

The Russian Spyware was initially identified by the Lookout Threat Lab that observed two Android surveillance families dubbed BoneSpy and PlainGnome. As per the information available, both have been attributed to Gamaredon, a Russian threat group known for cyber espionage development. 

Before we proceed, it’s worth noting that the Russian spyware hacker is also known as Primitive Bear and Shuckworm. In addition, this group also has ties to the Russian Federal Security (FSB) and the two spyware tools mentioned earlier are the first to be attributed to this hacker group. 

Reports claim that, both BoneSpy and PlainGnome are targeting Russian-speaking victims across nations that were once part of the Soviet Union. Some of these nations include: Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan. It’s worth noting that the Russian spyware hacker group has been known for targeting Ukraine. 

In addition, the shift in the hacker group’s target is likely due to a worsening relations with these countries. Although specific targets are difficult to identify, cyber security experts have noted an indication of what can be categorized as enterprise targeting. Apart from the targeting, cybersecurity experts have attributed both Russian spyware apps to Gamaredon on the IP address that was. 

It’s worth noting that the used IP address points to command and control (C2) domains observed in the hacker group’s desktop campaign. Providing further insights, experts have stated that:  

“We also observed a large number of domains sharing Gamaredon’s known domain naming convention described by MSTIC in April 2023, which were hosted on IP infrastructure shared with dynamic DNS C2 domains in use with the group’s mobile surveillanceware.”

Apart from this, Gamaredon has also been known for using the ddns[.]net and other DNS providers ever since 2017. This is a consistent technique used by both spyware apps that were part of this campaign. 

Android Spyware Apps Analysis

Before we dive into the details of the Russian spyware apps that were used in this campaign, it’s worth noting that BoneSpy, one of the two, was being tracked since December 2021, while PlainGnome was discovered in January 2024. The BoneSpy spyware android app comes from DroidWatcher, a Russian open-source surveillance app developed in 2013 or 2014. 

PlainGnome, on the other hand, shares a similar theming and C2 server properties but is not based on open-source code. Where PlainGnome is a two-stage deployment, the former is a self-contained app. Despite this, both of them have surveillance capabilities that include:  

• Trying to acquire root access to the device.
• Anti-analysis checks 
• Tracking the location
• Getting device information
• Acquiring sensitive user information such as:  
  • Text messages 
  • Call and ambient audio recordings 
  • Browser history and notifications 
  • Contacts and call logs 
  • Photos taken using the camera and screenshots 
  • Mobile service provider information

Given the properties of both these apps, it can be stated that social engineering appears to be the distribution method used by the Russian spyware hackers. In addition to this insight, experts have mentioned that applications belonging to either of these malware families were not available on Google Play. 

BoneSpy Spyware App 

As far as the BoneSpy Russian spyware is concerned, experts have noted the prevalence of continuous development between January and October 2022. After this development period, consistent lure theming and code structure was used. However, samples of the spyware from January and September 2022 used various trojanized apps. 

Common examples of such apps include ones used for battery charge monitoring, photo-gallery, a fake Samsung Knox app, and Telegram apps. Commenting on the use of bogus apps, experts stated that:

“Later, Gamaredon largely shifted to using trojanized, fully functional Telegram samples titled as “Beta” versions. ‍BoneSpy’s surveillance features stabilized by late 2022 along with almost exclusive use of trojanized Telegram samples.”

Those keen on ensuring protection must know that the BoneSpy samples experts observed this year had multiple surveillance capabilities which encompassed:  

• User browser history
• Data from text messages such as : 
  • Address 
  • Date 
  • Body
  • Device location and cell information
• Data from contact lists including: 
  • Name
  • Phone number
  • Email address
• Data from call logs such as: 
  • Phone number
  • Date
  • Name
  • Duration
  • Type of call
• File system information and installed apps 
• Using devices’ cameras and recording phone calls
• Clipboard and Notifications content
• Abuse of media protection for device screenshots 
• Device information such as: 
  • IMEI
  • SIM cards
  • Carrier information
• Checking root privileges

PlainGnome Spyware App 

The PlainGnome Russian spyware app is a two-stage deployment. The first stage of the spyware is very minimal and drops a malicious APK once it has been installed on the compromised device. It’s worth noting that both stages of the app use some variation of the Telegram package name. 

However, the spy functionalities of the app are similar to that of BoneSpy. Providing insights pertaining to the installation of an APK, experts have stated that:  

“Since it must install an APK (i.e. the surveillance payload), the first stage relies on the REQUEST_INSTALL_PACKAGES permission. Other than this less common permission, the first stage requests few permissions, and is lightweight in terms of code though notably contains some basic emulator checks. The victim starts the installation of the second-stage by pressing the only available button on the first stage’s splash screen, which has the Russian word “каталог” (meaning catalog, listing, or directory).”

In addition, the code of the PlainGnome spyware app has also evolved since January 2024. The changes are noted to have prevailed up until October. Developers behind the Russian spyware app have shifted to using Jetpack WorkManager classes for handling data exfiltration. 

The core reason behind the shift is that it simplifies code development and maintenance, and helps in specifying execution conditions. What this essential means is that PlainGnome only exfiltrates data when the device is in an ideal state. Deploying such a mechanism allows hackers to lower the possibility of being identified. Experts noted that: 

“As opposed to the minimalist first (installer) stage, the second stage carries out all surveillance functionality and relies on 38 permissions. PlainGnome’s developers made no effort to obfuscate code and took very basic steps to hinder analysis.” 

It’s also worth noting that some of the commands pertaining to spy functionalities initiated by the malicious app are done to take pictures and collect:  

• Text messages
• Contact 
• GPS location 
• Ambient sounds 
• Call audio

Russian-linked Threat Actor Victims

Before we dive into the details of the victims, it’s worth noting that the Russian spyware apps mask the identity by posing as Samsung Knox. Given that the system is designed to enable enterprise mobility management on Samsung devices, it’s possible that the attacker may be posing as an internal IT administrator. 

Details of the target location and the frequency of attacks shared by VirusTotal are provided below: 

Conclusion 

The rise of BoneSpy and PlainGnome shows just how advanced and dangerous Russian state-sponsored spyware has become. By targeting former Soviet states and even reaching beyond, these tools reveal the ongoing threats from groups like Gamaredon. 

With their sneaky tactics and powerful surveillance abilities, they remind us how important it is to stay on top of cybersecurity. As hackers get smarter, staying alert and informed is key to protecting ourselves in this ever-connected world.

The sources for this piece include articles in The Hacker News and Lookout.