Security researchers at Lookout have uncovered two sophisticated Android spyware families, BoneSpy and PlainGnome, developed by the Russian cyber-espionage group Gamaredon (also known as Shuckworm). This marks the group’s first documented expansion into mobile device targeting.
BoneSpy: The Earlier Variant
– Active since 2021
– Based on open-source DroidWatcher surveillance app
– Distributed through fake Telegram apps and Samsung Knox impersonation
– Core capabilities include:
* SMS message collection
* Audio and call recording
* Location tracking
* Camera access and screenshot capture
* Browser history monitoring
* Contact and call log extraction
* Clipboard and notification access
PlainGnome: The Advanced Evolution
– Emerged in 2024
– Custom-built surveillance malware
– Features two-stage installation process
– Enhanced capabilities include:
* All BoneSpy features plus:
* Smart data exfiltration during device idle time
* Stealth recording mode
* Advanced persistence mechanisms
Distribution and Targeting
– Neither spyware appears on Google Play Store
– Primarily targets Russian-speaking individuals in former Soviet states
– Deployment through social engineering and targeted website downloads
– Requires dangerous permission approvals masked as communication app features
This development demonstrates Gamaredon’s strategic shift toward mobile surveillance, reflecting the growing importance of smartphones as intelligence targets. While sophisticated in functionality, both malware families notably lack code obfuscation, making them relatively easy to analyze once detected.