Russian Gamaredon APT Deploys New Android Spyware Targeting Former Soviet States

The Russia-linked state-sponsored threat actor Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking a significant expansion of the group's cyber espionage capabilities into mobile platforms.

Cybersecurity researchers at Lookout have discovered these mobile surveillance tools, which represent the first known mobile-specific malware families associated with the Gamaredon group, also known as Primitive Bear or Shuckworm. The group is believed to be affiliated with Russia's Federal Security Service (FSB).

BoneSpy and PlainGnome are specifically designed to target Russian-speaking victims in former Soviet states, including Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan. The targeting is likely related to the deteriorating relations between these countries and Russia since the invasion of Ukraine.

Both spyware tools demonstrate extensive surveillance capabilities, collecting a wide range of sensitive information from infected devices. Their data collection features include:

BoneSpy, which has been operational since 2021, is derived from the Russian open-source DroidWatcher surveillance app. It functions as a standalone application and has shown continuous development between January and October 2022. The malware can be controlled via SMS messages and includes sophisticated features like checking for root access and extensive data exfiltration capabilities.

PlainGnome, a more recent addition first discovered in 2024, operates differently as a two-stage deployment malware. The first stage is a minimal installer that drops a malicious APK, while the second stage carries out comprehensive surveillance activities. Unlike BoneSpy, PlainGnome appears to be custom-developed and does not rely on existing open-source code.

The attribution of these malware families to Gamaredon is based on several technical indicators, including:

Most of the infrastructure associated with these spyware tools is hosted on Russian internet service providers, with many resolving to IP addresses registered to Global Internet Solutions LLC, a company located in Sevastopol, Crimea.

The distribution method for these malware tools remains unclear, but researchers suspect targeted social engineering techniques. The apps have been observed masquerading as legitimate applications like battery monitoring tools, photo galleries, and even trojanized versions of popular messaging apps like Telegram.

While Gamaredon has historically focused on targeting Ukraine, this mobile espionage campaign appears to be expanding the group's reach to other former Soviet states. The discovery underscores the group's evolving capabilities and willingness to develop sophisticated mobile surveillance tools to gather intelligence.

Cybersecurity experts recommend that users in the targeted regions remain vigilant, regularly update their devices, and be cautious about installing applications from unknown sources.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: