Three new mobile-only surveillance tools developed and used by state-sponsored organizations have been discovered by mobile security provider Lookout.
These new tools include BoneSpy and PlainGnome which are Android surveillance tools developed by Gamaredon (aka Primitive Bear, Shuckworm), an advanced persistent threat (APT) group associated with the Russian Federal Security Service (FSB).
Additionally, a Chinese software development company has created EagleMsgSpy, a lawful surveillance tool used by many government agencies in mainland China to collect extensive information from mobile devices.
Kyle Schmittle and Alemdar Islamoglu, both Senior Security Intelligence Researchers at Lookout, presented their findings at Black Hat Europe in London on December 11.
Russia’s BoneSpy and PlainGnome
Spyware Overview
BoneSpy and PlainGnome are the first known mobile families to be attributed to Gamaredon, an ATP group known for its cyber espionage campaigns targeting desktop devices, that the Security Service of Ukraine (SSU) attributed to the FSB in 2021.
BoneSpy has been in use since at least 2021 and is derived from the Russian open-source DroidWatcher, a surveillance app developed between 2013 and 2014.
PlainGnome first appeared in 2024 but shares similar theming and command-and-control (C2) server properties with BoneSpy.
Both families are still active and primarily used to target Russian-speaking individuals in former Soviet countries, such as Uzbekistan, Kazakhstan, Tajikistan and Kyrgyzstan.
“While Gamaredon has historically targeted Ukraine, the targeting of Central Asian countries like Uzbekistan likely resulted from worsening relations between these countries and Russia since the start of the Russian invasion of Ukraine in 2022,” the two researchers and their colleague Kristina Balaam wrote in a report published on December 11.
Spyware Features
Both spyware tools have broad surveillance capabilities, including:
- Attempting to gain root access to the device
- Anti-analysis checks
- Location tracking
- Getting information about the device
- Getting sensitive user data such as SMS messages, ambient audio and call recordings, notifications, browser history, contacts, call logs, photos from the camera, screenshots and cell service provider information
PlainGnome acts as a dropper for a surveillance payload, stored within the dropper package, while BoneSpy is deployed as a standalone application.
Before discovering BoneSpy and PlainGnome, Lookout’s Schmittle said that his team was only aware of two Russian-made spyware families. First, Monokle, developed by St. Petersburg-based company Special Technology Center (STC) in 2019 and likely used by Turla. The other is Infamous Chisel, used by Sandworm against Ukraine military entities since at least 2023.
No tags.
