Cyble Research and Intelligence Labs (CRIL) has identified a stealthy Android spyware campaign specifically targeting individuals in South Korea. Active since June 2024, this malware exploits an Amazon AWS S3 bucket as its Command and Control (C&C) server, facilitating the exfiltration of sensitive personal data, including SMS messages, contacts, images, and videos.
The Android spyware in question has shown remarkable sophistication in its ability to remain undetected by major antivirus solutions. CRIL has documented four unique samples of this malware, all of which have exhibited a striking zero detection rate across various security engines.
Overview of the Android Spyware Campaign
Upon installation, users encounter a benign-looking interface that mimics legitimate applications such as live video streaming, adult content, refund processing, and interior design. The simplicity of the source code allows the spyware to operate with minimal permissions, primarily focusing on “READ_SMS,” “READ_CONTACTS,” and “READ_EXTERNAL_STORAGE.” This minimalist approach not only enhances its stealth but also highlights how even basic malware can effectively compromise sensitive information.
Once installed, the spyware requests necessary permissions from the user. Upon approval, it activates its malicious functionality through the Android API method known as onRequestPermissionsResult. The malware then collects data, including SMS messages and contacts, and stores them in JSON files. This stolen data is subsequently transmitted to the C&C server hosted on an Amazon AWS S3 bucket.
Exposed Data and Security Flaws
The data exfiltrated from infected devices is alarmingly stored openly on the Amazon AWS S3 bucket, allowing for easy access by the attackers. This oversight signifies a lapse in operational security. CRIL identified two malicious URLs distributing the spyware, both of which led to APK files capable of compromising devices. The URLs are:
- hxxps://refundkorea[.]cyou/REFUND%20KOREA.apk
- hxxps://bobocam365[.]icu/downloads/pnx01.apk
The exposure of sensitive data on the S3 bucket was alarming enough that CRIL reported the abuse to Amazon Trust and Safety. Following this intervention, access to the malicious URL was disabled, effectively preventing further data access.
The Technical Mechanics and Implications of the Campaign
The technical workings of this Android spyware reveal a concerning trend. The malware’s execution begins with a seemingly innocuous screen that aligns with the app’s purported purpose. After installation, it systematically collects various forms of personal data.
To gather images and videos, the spyware queries the device’s content provider and uploads the media files to the C&C server via specific endpoints, such as /media/+filename. Furthermore, the contacts and SMS messages are saved into distinct JSON files—phone.json and sms.json—before being sent to the command server.
The emergence of this Android spyware campaign highlights a growing trend of attackers utilizing trusted cloud services like Amazon AWS to host their malicious infrastructure. This tactic not only aids them in bypassing conventional security measures but also allows them to maintain a low profile, evading detection for an extended period. The use of reputable cloud services adds a layer of legitimacy to their operations, making it even harder for security professionals to identify threats.
Conclusion
As the sophistication of Android spyware continues to evolve, the implications for user privacy and data security become increasingly dire. This particular campaign targeting South Korea is a stark reminder of the potential vulnerabilities present in mobile devices.
The malware’s reliance on an Amazon AWS S3 bucket for data storage exemplifies a troubling trend where attackers exploit trusted platforms to enhance their operational efficiency.