Cyble analyzes stealthy Android spyware targeting South Koreans, using an Amazon AWS S3 bucket to store exfiltrated data, including SMSs, contacts, and media.
Cyble Research and Intelligence Labs (CRIL) has uncovered a previously undetected Android spyware campaign targeting individuals in South Korea, which has been active since June 2024. The spyware leverages an Amazon AWS S3 bucket as its Command and Control (C&C) server and is designed to exfiltrate sensitive data from compromised devices, including contacts, SMS messages, images, and videos.
The spyware samples observed disguise themselves as live video apps, adult apps, refund apps, and interior design applications. Below are the icons used by the malware.
Two malicious URLs distributing the spyware have been identified:
Since its emergence, this malware has remained undetected by all security solutions, allowing it to operate stealthily. CRIL has identified four unique samples linked to this spyware, all exhibiting zero detection rates across major antivirus engines.
All identified spyware samples were observed communicating with the same Command and Control (C&C) server hosted on an Amazon S3 bucket: hxxps://phone-books[.]s3.ap-northeast-2.amazonaws.com/. Our analysis revealed that the stolen data, including contacts, SMS messages, images, and videos, was openly stored in the S3 bucket (C&C server), further confirming that the malware specifically targeted individuals in South Korea.
The attackers’ poor operational security resulted in the unintentional exposure of sensitive data. We reported the misuse of the AmazonAWS S3 bucket to Amazon Trust and Safety, which disabled access to the URL and made the data no longer accessible. Furthermore, our investigation found no other C&C servers utilizing S3 buckets or exposing stolen data linked to this campaign.
After installation, all spyware samples display a single screen with a message in Korean tailored to the app’s theme.
The source code of this spyware is relatively simple. It utilizes a minimal set of permissions, including “READ_SMS,” “READ_CONTACTS,” and “READ_EXTERNAL_STORAGE,” to carry out its malicious operations. The manifest file specifies only the main activity, which triggers the malicious functionality upon execution.
Upon installation, the spyware requests the necessary permissions; once granted, it executes its malicious functions. These functions, responsible for collecting data from the infected device, are executed within the API method “onRequestPermissionsResult”, as illustrated in the image below.
To exfiltrate images and videos, the malware queries the device’s content provider and uploads each file to the C&C server via the endpoint “/media/+filename”. This behavior is evident in the exposed data, as shown in Figure 3.
The malware gathers contacts and SMS messages from the infected device and stores them in two separate files: phone.json for contacts and sms.json for SMS data. These files are then transmitted to the C&C server, as demonstrated in the figure below.
This campaign highlights the growing sophistication of Android spyware targeting individuals in South Korea. By utilizing an Amazon AWS S3 bucket for Command and Control infrastructure, the threat actors were able to maintain stealth and evade detection for an extended period. This spyware strain utilizes a minimalist approach—leveraging only a few key permissions to exfiltrate sensitive data such as contacts, SMS messages, images, and videos—and demonstrates how even simple malware can be extremely effective.
It is concerning that attackers are increasingly turning to trusted cloud services like AWS as part of their malicious infrastructure. This tactic allows them to bypass traditional security measures and stay under the radar.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Tactic | Technique ID | Procedure |
Initial Access (TA0027) | Phishing (T1660) | Malware distribution via phishing site |
Collection (TA0035) | Protected User Data: Contact List (T1636.003) | The malware collects contacts from the infected device |
Collection (TA0035) | Protected User Data: SMS Messages (T1636.004) | Steals SMSs from the infected device |
Collection (TA0035) | Data from the Local System (T1533) | Malware steals images and videos from an infected device |
Command and Control (TA0037) | Application Layer Protocol: Web Protocols (T1437) | Malware uses HTTPS protocol for C&C communication |
Exfiltration (TA0036) | Exfiltration Over C2 Channel (T1646) | Sending exfiltrated data over C&C server |
Indicators | Indicator Type | Description |
afc2baf71bc16bdcef943172eb172793759d483470cce99e542d750d2ffee851 63952a785e2c273a4dc939adc46930f9599b9438 1d7bbb5340a617cd008314b197844047 | SHA256 SHA1 MD5 | Spyware hashes |
d9106d06d55b075757b2ca6a280141cbdaff698094a7bec787e210b00ad04cde 46eb3ba5206baf89752fe247eff9ce64858f4135 68e6401293e525bf583bade1c1a36855 | SHA256 SHA1 MD5 | Spyware hashes |
a8e398fc4b483a1779706d227203647db3e04d305057fdc7f3f6a4318677b9c8 d07a165b1b7c177c2f57b292ae1b2429b6187e45 16139baf56200f3975e607f89e39419a | SHA256 SHA1 MD5 | Spyware hashes |
3608f739c66c9ca18628fecded6c3843630118baaab80e11a2bacee428ef01b3 1fc56a6d34f1a59a4987c3f8ff266f867e80d35c fa073ca9ae9173bb5f0384471486cce2 | SHA256 SHA1 MD5 | Spyware hashes |
hxxps://phone-books.s3.ap-northeast-2.amazonaws.com/ | URL | C&C server |
hxxps://bobocam365[.]icu/downloads/pnx01.apk hxxps://refundkorea[.]cyou/REFUND%20KOREA.apk | URL | Distribution URL |