Cybersecurity researchers have discovered that the Russian state-sponsored threat actor Gamaredon has developed two new Android spyware tools: BoneSpy and PlainGnome. This marks the group’s first venture into mobile-specific malware development.
According to Lookout’s analysis, both spyware variants target Russian-speaking populations in former Soviet states, collecting sensitive data including:
– SMS messages
– Call logs and audio
– Camera photos
– Device location
– Contact lists
BoneSpy, operational since 2021, is a standalone application derived from DroidWatcher spyware. PlainGnome, emerging in 2023, functions as a dropper requiring special permissions to install additional payloads.
Target countries likely include:
– Uzbekistan
– Kazakhstan
– Tajikistan
– Kyrgyzstan
The malware is reportedly distributed through social engineering tactics, disguising itself as legitimate applications such as:
– Battery monitoring tools
– Photo gallery apps
– Samsung Knox
– Modified Telegram client
Attribution to Gamaredon was confirmed through shared infrastructure patterns, including dynamic DNS providers and overlapping command-and-control IP addresses. This expansion into mobile malware represents a significant evolution in the FSB-affiliated group’s capabilities, though no evidence suggests deployment against their traditional Ukrainian targets.
Both spyware variants attempt to gain root access and collect comprehensive device data, including browser history, ambient audio, notifications, and cellular service information.