PhoneSpy¶
PhoneSpy is an Android spyware family disguised as lifestyle and utility apps, targeting South Korean users. Discovered by Zimperium in November 2021, it was found in 23 trojanized apps distributed exclusively through sideloading, not through Google Play. The malware provides full device surveillance: real-time location tracking, photo and audio capture, call recording, SMS harvesting, file theft, and camera access. Despite basic capabilities compared to commercial spyware, PhoneSpy infected over 1,000 devices before discovery.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | November 2021 (Zimperium discovery) |
| Status | Inactive |
| Type | Spyware, stalkerware |
| Attribution | Unknown |
| Distribution | Sideloaded APKs disguised as lifestyle apps |
Origin and Lineage¶
Zimperium discovered PhoneSpy in November 2021, identifying 23 distinct apps carrying the spyware. The malware was not found on any official app store, relying entirely on social engineering to convince users to sideload the trojanized APKs. Zimperium did not find direct code overlap with known commercial spyware platforms, suggesting PhoneSpy was custom-built for this campaign.
The apps impersonated everyday utilities: yoga instruction, photo browsing, TV streaming, and Kakao Talk (South Korea's dominant messaging platform). This disguise strategy targeted a broad cross-section of South Korean smartphone users rather than specific high-value individuals.
Distribution¶
| Vector | Details |
|---|---|
| Sideloaded APKs | Distributed via web traffic redirection and social engineering |
| App disguises | Yoga companion, photo gallery, TV/video streaming, Kakao Talk |
PhoneSpy was not distributed through Google Play or any official app store. Victims were directed to download APKs through web redirects and phishing links. The reliance on sideloading limited its spread but allowed it to avoid Google Play's malware scanning entirely.
Capabilities¶
| Capability | Implementation |
|---|---|
| Real-time location | GPS-based continuous location tracking |
| Photo capture | Silent camera activation for front and rear cameras |
| Audio recording | Ambient audio capture via device microphone |
| Call recording | Records voice calls |
| SMS harvesting | Exfiltrates all SMS messages |
| Contact theft | Full address book exfiltration |
| Call log theft | Complete call history extraction |
| File exfiltration | Steals photos, videos, and documents from device storage |
| App list enumeration | Lists all installed applications |
| Device info collection | IMEI, device name, Android version, carrier |
On installation, PhoneSpy hides its icon from the launcher and begins background data collection. The app appears to function as advertised (yoga app, photo browser) while silently harvesting data and transmitting it to the C2 server.
Technical Details¶
C2 Communication¶
PhoneSpy communicates with its C2 server over standard HTTP, transmitting collected data in periodic uploads. The C2 infrastructure was hosted on servers that Zimperium identified during their analysis. The lack of encryption on the C2 channel made network-level detection straightforward.
Persistence¶
The malware hides its launcher icon after initial execution, making it invisible in the app drawer. It runs as a background service and requests exemption from battery optimization to maintain persistent execution.
Target Regions¶
| Region | Details |
|---|---|
| South Korea | Exclusive target: Korean-language apps, Kakao Talk impersonation |
PhoneSpy exclusively targeted South Korean users. All 23 identified apps used Korean-language interfaces and impersonated services popular in South Korea. The Kakao Talk impersonation was particularly targeted, as Kakao Talk is used by over 90% of South Korean smartphone users.
Notable Campaigns¶
November 2021: Zimperium publishes their discovery of PhoneSpy across 23 apps, documenting over 1,000 infected devices in South Korea. The campaign distributed trojanized lifestyle apps through sideloading, with no presence on official app stores.
Related Families¶
PhoneSpy occupies the space between commercial stalkerware and state-sponsored spyware. Its capability set is comparable to BoneSpy and PlainGnome, both of which target specific regional populations with full device surveillance. Unlike commercial spyware vendors like Pegasus or Predator, PhoneSpy lacks exploit-based delivery and sophisticated anti-analysis.