Full Report
The Russia-linked state-sponsored threat actor tracked as Gamaredon has been attributed to two new Android spyware tools called BoneSpy and PlainGnome, marking the first time the adversary has been discovered using mobile-only malware families in its attack campaigns. "BoneSpy and PlainGnome target former Soviet states and focus on Russian-speaking victims," Lookout said in an analysis. "Both
Analysis Summary
# Threat Actor: Gamaredon
## Attribution & Identity
* **Identification:** Russia-linked state-sponsored threat actor.
* **Known Aliases/Associations:** Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, Winterflounder.
* **Affiliation:** Federal Security Service (FSB) of Russia.
## Activity Summary
Gamaredon has been attributed to the deployment of two new Android spyware families, **BoneSpy** and **PlainGnome**, in attack campaigns targeting former Soviet states. BoneSpy is believed to have been operational since at least 2021, while PlainGnome emerged earlier this year (2024). The group has also recently been observed using Cloudflare Tunnels to host malicious staging infrastructure, such as GammaDrop.
## Tactics, Techniques & Procedures
* **Mobile Malware Deployment:** Introduction of mobile-only malware families (BoneSpy and PlainGnome).
* **Infrastructure Concealment:** Use of Cloudflare Tunnels to hide staging infrastructure hosting malicious payloads (e.g., GammaDrop).
* **Capabilities (BoneSpy & PlainGnome):** Data exfiltration capabilities including:
* SMS message interception.
* Call log harvesting.
* Phone call audio recording.
* Photo capture from device cameras.
* Device location tracking.
* Contact list theft.
## Targeting
* **Sectors:** Not explicitly detailed, but implied government/sensitive entities due to state-sponsorship and focus on geopolitical areas.
* **Geography:** Former Soviet states, specifically mentioning potential targets like **Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan**.
* **Victims:** Targeting Russian-speaking victims within those regions. Note that the article states there is no current evidence of targeting Ukraine, despite it being a historical focus. Attempts were made against NATO countries (Bulgaria, Latvia, Lithuania, and Poland) in 2022 and 2023.
## Tools & Infrastructure
* **Malware families used:**
* BoneSpy (Android Spyware)
* PlainGnome (Android Spyware)
* GammaDrop (Malicious payload referenced in relation to Cloudflare Tunnels)
* **Infrastructure:** Use of **Cloudflare Tunnels** for staging infrastructure. (No specific C2 domains or IPs were listed in the provided text to defang).
## Implications
The deployment of dedicated Android spyware like BoneSpy and PlainGnome signifies an expansion of Gamaredon's operational focus into mobile espionage, likely targeting regions experiencing geopolitical sensitivity or shifting alliances relative to Russia (such as Central Asian states). This pivot towards mobile platforms broadens the potential attack surface against individuals within those countries.
## Mitigations
* Implement detailed monitoring and access control for mobile devices operating within former Soviet states, especially targeting Russian-speaking users.
* Scrutinize network traffic for connections utilizing Cloudflare Tunnels that host unusual binaries or staging content, as this is a recently observed infrastructure tactic.
* Ensure robust mobile endpoint security capable of detecting advanced spyware functions (e.g., call recording, location tracking, SMS interception).