PlainGnome¶
PlainGnome is a custom-built Android surveillanceware family discovered by Lookout in December 2024, initially attributed to Gamaredon (Primitive Bear/Shuckworm, an FSB-linked APT group) and later reattributed to Sandcat, an Uzbekistan-based threat actor associated with Uzbekistan's State Security Service (SSS). Unlike its companion family BoneSpy, PlainGnome is not derived from existing open-source surveillance code. It is a purpose-built tool with a two-stage deployment architecture: a minimal first-stage dropper installs a second-stage surveillance payload stored within the dropper package. PlainGnome performs emulator detection before deploying the second stage, and exfiltrates data only when the device enters an idle state using Android's Jetpack WorkManager. A stealth-optimized audio recording mode activates only when the device screen is off, avoiding the microphone indicator that newer Android versions display in the status bar. Active since 2024, PlainGnome targets Russian-speaking victims in Central Asian former Soviet states.
Quick Reference¶
| Attribute | Details |
|---|---|
| First Seen | 2024 |
| Last Seen | Active as of December 2024 |
| Status | Active |
| Type | Surveillanceware |
| Attribution | Originally Gamaredon (FSB-linked); reattributed to Sandcat (Uzbekistan SSS) |
| Aliases | None known |
| Lineage | Custom-built, no known open-source foundation |
| Distribution | Social engineering, fake utility apps |
| Related | BoneSpy (companion family by same operator) |
Capabilities¶
| Capability | Details |
|---|---|
| SMS collection | Harvests all SMS messages |
| Call logs | Extracts call history |
| Phone call audio | Records voice calls |
| Contacts | Exfiltrates device contact list |
| GPS location | Tracks device coordinates |
| Camera capture | Takes photos via device cameras |
| Ambient audio | Records microphone audio with screen-off stealth mode |
| Browser history | Collects browsing data |
| Notifications | Intercepts and reads notifications |
| Screenshots | Captures device screen |
| Cellular provider info | Collects SIM and carrier details |
| File access | Browses and exfiltrates files from storage |
Screen-Off Audio Recording¶
PlainGnome implements two ambient audio recording modes:
- Screen-off only - recording automatically stops when the device screen activates
- Continuous - records regardless of screen state
The screen-off mode exists because Android 12 and later display a microphone icon in the status bar when any application accesses the microphone. By restricting recording to periods when the screen is off, the operator avoids the indicator being visible to the device owner. This represents a direct adaptation to Android's privacy transparency features.
Idle-State Exfiltration¶
PlainGnome uses Android's Jetpack WorkManager API to schedule data exfiltration only when the device enters an idle state. This reduces network activity during periods of active user engagement, lowering the chance of the victim noticing unusual battery drain or data usage associated with upload operations.
Technical Details¶
Two-Stage Dropper Architecture¶
PlainGnome's deployment separates the dropper from the surveillance payload:
| Stage | Role |
|---|---|
| First stage (dropper) | Minimal APK that presents itself as a utility app; requests REQUEST_INSTALL_PACKAGES permission; deploys second stage |
| Second stage (payload) | Full surveillance module stored within the dropper package; installed after anti-analysis checks pass |
This two-stage design offers operational advantages over BoneSpy's single-stage approach. The dropper can present a benign appearance during initial analysis, and the surveillance payload is only deployed after the environment has been validated. If the dropper detects an emulator or analysis sandbox, it never drops the payload, shielding the actual surveillance capabilities from researcher inspection.
Emulator Detection¶
Before deploying the second-stage payload, PlainGnome checks whether it is running on an emulator. This targets automated analysis sandboxes and manual researcher environments. If emulation is detected, the dropper does not install the surveillance module, preventing capability exposure in controlled analysis settings.
No Code Obfuscation¶
Despite the sophistication of its two-stage architecture and anti-analysis checks, PlainGnome does not employ code obfuscation. Once a researcher obtains the second-stage payload (by running the dropper on a physical device or bypassing emulator detection), the surveillance code is fully readable, a notable gap in the tool's operational security.
Custom Codebase¶
PlainGnome does not share code lineage with DroidWatcher or any other known open-source surveillance project. While it implements a similar capability set to BoneSpy, the implementation is original. This likely reflects an intentional progression by the operators: BoneSpy served as the initial capability (leveraging existing code for rapid deployment), while PlainGnome represents a custom follow-on tool built to address the limitations of using a known open-source codebase.
Distribution¶
PlainGnome has never been observed on Google Play. Distribution is suspected to involve targeted social engineering, with lures including:
| Lure Type | Details |
|---|---|
| Battery charge monitoring | Fake utility apps for battery management |
| Photo gallery apps | Disguised as photo gallery applications |
| Fake Samsung Knox | Impersonates Samsung's enterprise security platform |
| Trojanized Telegram | Fully functional Telegram app bundled with surveillance capabilities |
The exact delivery mechanism (phishing links, direct messages, watering holes) remains unclear. The targeting of Russian-speaking populations in Central Asia suggests distribution through Russian-language social channels and messaging platforms.
Target Regions¶
| Region | Details |
|---|---|
| Uzbekistan | Primary target |
| Kazakhstan | Secondary target |
| Tajikistan | Secondary target |
| Kyrgyzstan | Secondary target |
The targeting mirrors BoneSpy's victim profile: Russian-speaking individuals in Central Asian former Soviet states. Given the reattribution to Sandcat (Uzbekistan SSS), this targeting pattern aligns with Uzbekistan's intelligence priorities in its immediate neighborhood.
Attribution¶
Lookout initially attributed PlainGnome to Gamaredon based on dynamic DNS provider usage and IP address overlaps with known Gamaredon desktop campaign infrastructure. This was later corrected to Sandcat, a threat actor linked to Uzbekistan's State Security Service, first identified in 2019. The reattribution reflects additional evidence that distinguished the mobile campaign infrastructure from Gamaredon's operations. The operational pairing of PlainGnome with BoneSpy under a single threat actor demonstrates a clear evolution in mobile surveillance capability: from an open-source foundation (BoneSpy/DroidWatcher) to a custom-built tool (PlainGnome) with anti-analysis protections and stealth optimizations.
Related Families¶
| Family | Relationship |
|---|---|
| BoneSpy | Companion family by the same operator. BoneSpy is derived from DroidWatcher and uses a single-stage architecture. PlainGnome is custom-built with a two-stage dropper and more advanced anti-analysis features. Both share the same targeting profile and operator. |
| GuardZoo | Both are state-linked mobile surveillance tools targeting specific regional populations. GuardZoo targets Middle Eastern military personnel for Houthi-aligned intelligence, while PlainGnome targets Central Asian civilians and government figures for Uzbekistan's SSS. Both operate through social engineering rather than exploit chains. |
| KoSpy | Both use anti-analysis measures (emulator detection) and target specific language communities. KoSpy uses a Firebase Firestore first-stage for C2 configuration delivery, while PlainGnome uses a dropper APK for staged deployment. Both were disclosed by Lookout. |
References¶
- Lookout: BoneSpy and PlainGnome Android Surveillance
- The Hacker News: Gamaredon Deploys Android Spyware BoneSpy and PlainGnome
- BleepingComputer: Russian cyberspies target Android users with new spyware
- Security Affairs: First mobile malware families linked to Gamaredon
- SecurityOnline: Gamaredon APT Deploys Two Russian Android Spyware Families
- Infosecurity Magazine: Lookout Discovers New Spyware Deployed by Russia and China