A large-scale malware campaign using fake dating and social networking apps to steal sensitive personal data has been uncovered by mobile security researchers.
Dubbed “SarangTrap,” the operation spans both Android and iOS platforms and has leveraged more than 250 malicious apps and over 80 phishing domains to target users, particularly in South Korea.
According to a report published by Zimperium on Wednesday, the campaign employs emotionally manipulative tactics, luring victims through fake profiles, exclusive “invitation codes,” and convincing app interfaces.
These apps mimic legitimate services but are designed solely to access and extract user data, including contacts, private images, SMS content and device identifiers.
Once installed, the apps display a polished interface and request permissions that seem necessary for full functionality. Users are prompted to enter a code that triggers hidden spyware routines. After the app gains access, it silently transmits sensitive data to an attacker-controlled server.
Evolving Tactics and Cross-Platform Reach
The recent analysis by Zimperium’s zLabs team revealed a shift in the malware’s strategy.
In newer Android samples, developers have removed SMS permissions from the manifest file while retaining the code for message exfiltration. This suggests ongoing experimentation to bypass security scans while maintaining spyware functions.
For iOS users, the campaign utilizes malicious mobile configuration profiles instead of traditional app installations. Once installed, these profiles grant attackers access to the user’s contacts, photos and device information without raising immediate suspicion.
Read more on mobile malware: GodFather Malware Upgraded to Hijack Legitimate Mobile Apps
The threat actors behind SarangTrap registered 88 unique domains, with over 70 of them actively distributing malware. At least 25 of these have been indexed by search engines like Google, ranking for common keywords such as dating, file sharing and social networking. This helped the malicious pages appear credible to unsuspecting users.
As mentioned above, Zimperium also uncovered over 250 Android malware samples with slight variations, some omitting key permissions entirely to avoid detection. Despite reduced visible permissions, the apps continue to exfiltrate large amounts of personal data.
Emotional Manipulation Meets Technical Sophistication
The campaign combines technical sophistication with social engineering tactics. In one reported case, a man grieving a breakup was targeted via a fake dating profile. After downloading an app from a phishing link and entering a code, his device was compromised. Attackers used stolen content to blackmail him, threatening to expose personal videos to his family.
Zimperium warned users to stay cautious of apps demanding invitation codes or unusual permissions, avoid third-party app stores and regularly review installed profiles and security settings.
The SarangTrap operation remains active and is still evolving, making vigilance more critical than ever.
No tags.
