Gamaredon APT Deploys Two Russian Android Spyware Families: BoneSpy and PlainGnome

Researchers at the Lookout Threat Lab have uncovered two sophisticated Android spyware families, BoneSpy and PlainGnome, attributed to the Russian-aligned Advanced Persistent Threat (APT) group Gamaredon. Also known as Primitive Bear or Shuckworm, Gamaredon has been linked to the Russian Federal Security Service (FSB), with this being the first known instance of their mobile surveillance tools.

BoneSpy, operational since at least 2021, and PlainGnome, first identified in 2024, are both designed for extensive surveillance capabilities. These include:

• Tracking GPS location and device activity.
• Collecting sensitive data such as SMS messages, call logs, and browser history.
• Capturing ambient audio, call recordings, and photos using the device’s camera.
• Gaining root access to bypass security measures.

According to the Lookout researchers, BoneSpy is derived from the Russian open-source DroidWatcher app. Conversely, PlainGnome does not share this lineage but is equally potent. The report notes, “PlainGnome supports a total of 19 commands, including functionality to collect SMS messages, GPS location, and ambient audio.”

While Gamaredon has a long history of targeting Ukraine, these new campaigns appear to extend their reach to former Soviet states, including Uzbekistan, Kyrgyzstan, and Tajikistan. This shift may reflect deteriorating relations between these countries and Russia post-2022. Lookout researchers emphasize, “BoneSpy and PlainGnome appear to target Russian speaking victims across the former Soviet Union.”

Notably, BoneSpy samples have included trojanized apps mimicking legitimate services like Telegram and Samsung Knox Manage, suggesting potential enterprise targeting.

PlainGnome exemplifies Gamaredon’s evolving tactics. Unlike BoneSpy’s self-contained architecture, PlainGnome employs a two-stage deployment process. The initial stage installs a minimal app, requesting permissions to drop the malicious payload. To evade detection, data exfiltration occurs only when the device is idle.

The infrastructure supporting these campaigns leverages dynamic DNS providers, such as No-IP’s ddns[.]net, a consistent tactic in Gamaredon’s operations. According to Lookout, Gamaredon employs mutually exclusive sets of C2 domains for the BoneSpy and PlainGnome families, with significant overlaps in their desktop campaigns.

Attributing these tools to Gamaredon stems from infrastructure overlaps with the group’s desktop campaigns and a shared naming convention for command-and-control (C2) domains. The spyware’s development is closely tied to Russian entities, with C2 domains hosted on Russian ISPs linked to FSB operations in Sevastopol, Crimea.

Lookout researchers concluded, “Both BoneSpy and PlainGnome are operated by Gamaredon“, reflecting the group’s continued focus on espionage across former Soviet states.

Related Posts:

• Lookout: Mobile phishing increase 85% over year for the past five years
• Designed for government: hackers sell Dark Caracal spyware platform
• Android app from China exploited 0-day CVE-2023-20963 flaw
• Russia blocks 1.8 million Amazon and Google cloud service IP addresses
• Microsoft reveals some details of the Russian hacking group’s attack on Ukraine