BoneSpy¶
BoneSpy is an Android surveillanceware family discovered by Lookout in December 2024, originally attributed to Gamaredon (also tracked as Primitive Bear and Shuckworm, a Russian FSB-linked APT group). Lookout subsequently reattributed BoneSpy and its companion family PlainGnome to Sandcat, a threat actor associated with Uzbekistan's State Security Service (SSS). The initial Gamaredon attribution was based on dynamic DNS provider usage and IP address overlaps between mobile and desktop C2 infrastructure. BoneSpy is derived from the open-source Russian surveillance application DroidWatcher (developed 2013-2014), sharing nearly identical code, class names, and log messages for database handling related to call logs, location tracking, SMS, notifications, and browser bookmarks. Active since at least 2021, BoneSpy targets Russian-speaking victims in Central Asian former Soviet states, primarily Uzbekistan, Kazakhstan, Tajikistan, and Kyrgyzstan. Distribution relies on trojanized Telegram apps, fake Samsung Knox apps, and social engineering lures. BoneSpy and PlainGnome represent the first known mobile malware families linked to the Gamaredon/Sandcat operational space, which previously focused exclusively on Windows-based operations.
Quick Reference¶
| Attribute | Details |
|---|---|
| First Seen | 2021 |
| Last Seen | Active as of December 2024 |
| Status | Active |
| Type | Surveillanceware |
| Attribution | Originally Gamaredon (FSB-linked); reattributed to Sandcat (Uzbekistan SSS) |
| Aliases | None known |
| Lineage | Based on DroidWatcher open-source surveillance app (2013-2014) |
| Distribution | Trojanized Telegram apps, fake Samsung Knox, battery monitoring lures, photo gallery lures |
| Related | PlainGnome (companion family by same operator) |
Capabilities¶
| Capability | Details |
|---|---|
| SMS collection | Harvests all SMS messages |
| Call logs | Extracts call history |
| Phone call audio | Records voice calls |
| Contacts | Exfiltrates device contact list |
| GPS location | Tracks device coordinates |
| Camera capture | Takes photos via device cameras |
| Ambient audio | Records microphone audio |
| Browser history | Collects browsing data and bookmarks |
| Notifications | Intercepts and reads notifications from all apps |
| Screenshots | Captures device screen |
| Cellular provider info | Collects SIM and carrier details |
| SMS-based control | Can receive commands via SMS messages |
BoneSpy's SMS command capability is a notable feature: operators can issue instructions to the implant through SMS, providing an out-of-band control channel that does not depend on internet connectivity.
Technical Details¶
DroidWatcher Lineage¶
BoneSpy is built directly on the DroidWatcher codebase. DroidWatcher was a Russian open-source surveillance application developed between 2013 and 2014. BoneSpy retains nearly identical code structure, class names, and log messages in multiple classes related to:
- Call log database handling
- Location tracking
- SMS message storage
- Notification interception
- Browser bookmark collection
The operators took this publicly available surveillance framework and extended it for their operational needs, similar to how GuardZoo operators forked the Dendroid RAT codebase for military-targeted surveillance in the Middle East.
Architecture¶
Unlike PlainGnome, BoneSpy is a standalone single-stage application. There is no dropper, the full surveillance functionality is packaged in a single APK. This simpler architecture makes BoneSpy easier to deploy but also easier to analyze, as the complete capability set is visible through static analysis of one package.
C2 Infrastructure¶
The initial attribution to Gamaredon was based on overlaps between BoneSpy's C2 infrastructure and known Gamaredon desktop campaigns:
- Shared use of dynamic DNS providers
- IP address overlaps between mobile C2 domains and desktop campaign infrastructure
Lookout later determined these overlaps pointed to Sandcat rather than Gamaredon, though the two groups share operational patterns in their infrastructure management.
Distribution¶
BoneSpy has never been observed on Google Play. Distribution appears to rely on targeted social engineering, directing victims to download APKs from attacker-controlled sources.
| Lure Type | Details |
|---|---|
| Trojanized Telegram | Fully functional Telegram app bundled with BoneSpy surveillance payload |
| Fake Samsung Knox | Impersonates Samsung's enterprise security platform |
| Battery monitoring apps | Fake battery charge monitoring utilities |
| Photo gallery apps | Disguised as photo gallery applications |
Samples from January through September 2022 used the widest variety of trojanized app lures. The trojanized Telegram approach is particularly effective against Russian-speaking targets in Central Asia, where Telegram is a primary communication platform.
Target Regions¶
| Region | Details |
|---|---|
| Uzbekistan | Primary target based on VirusTotal submission data |
| Kazakhstan | Secondary target |
| Tajikistan | Secondary target |
| Kyrgyzstan | Secondary target |
Targeting aligns with Sandcat's known operational focus. Amnesty International reported in 2019 that Sandcat targeted academic and government organizations in countries neighboring Uzbekistan, as well as human rights defenders within Uzbekistan itself.
Attribution¶
Lookout initially attributed BoneSpy and PlainGnome to Gamaredon (Primitive Bear/Shuckworm), a group linked to Russia's FSB, based on dynamic DNS and IP address overlaps with Gamaredon's desktop campaigns. Lookout later updated the attribution to Sandcat, an Uzbekistan-based threat actor associated with Uzbekistan's State Security Service. Sandcat was first identified in 2019. The reattribution is significant because it means these families represent Uzbekistan's mobile surveillance capability rather than Russia's, though the DroidWatcher codebase and Russian-language targeting reflect the Russian-speaking operational environment of Central Asian intelligence services.
Related Families¶
| Family | Relationship |
|---|---|
| PlainGnome | Companion family by the same operator. PlainGnome is custom-built (not based on DroidWatcher) and uses a two-stage dropper architecture, representing an evolution beyond BoneSpy's single-stage design. |
| GuardZoo | Both are state-linked surveillance tools built on open-source foundations (BoneSpy from DroidWatcher, GuardZoo from Dendroid RAT), targeting specific regional populations through social engineering rather than exploit chains. |
| KoSpy | Both are state-sponsored Android surveillance tools discovered by Lookout, targeting regional populations. KoSpy serves North Korean intelligence while BoneSpy serves Central Asian intelligence operations. |
References¶
- Lookout: BoneSpy and PlainGnome Android Surveillance
- The Hacker News: Gamaredon Deploys Android Spyware BoneSpy and PlainGnome
- BleepingComputer: Russian cyberspies target Android users with new spyware
- Security Affairs: First mobile malware families linked to Gamaredon
- SecurityOnline: Gamaredon APT Deploys Two Russian Android Spyware Families
- Infosecurity Magazine: Lookout Discovers New Spyware Deployed by Russia and China