Cybersecurity researchers have identified a surge in malware attacks targeting Android and iOS users through deceptive websites designed to mimic legitimate app download pages. Among the threats uncovered are the well-known SpyNote trojan, along with BadBazaar and MOONSHINE malware.
Threat actors are deploying SpyNote by creating fake Google Play Store pages promoting apps like the Chrome browser. These sites, mixing English and Chinese elements, prompt users to download a malicious APK file that drops a second-stage payload, granting attackers extensive access to compromised devices. Once installed, SpyNote abuses Android’s accessibility services to collect SMS messages, contacts, call logs, location data, and files. It can also remotely control the device’s microphone, camera, and calls.
SpyNote has previously been linked to campaigns by various threat groups, including state-sponsored actors, and shows similarities to the Gigabud malware, potentially connecting it to the Chinese-speaking group known as GoldFactory.
In parallel, new warnings have been issued regarding BadBazaar and MOONSHINE spyware targeting Uyghur, Tibetan, and Taiwanese communities. Distributed under the guise of messaging, utility, or religious apps, these trojans are capable of extracting a wide range of sensitive information from mobile devices.
BadBazaar, which dates back to at least 2018, has ties to the Chinese-linked threat group APT15. Its iOS variant, while more limited than its Android counterpart, still enables the theft of personal data. MOONSHINE, used by a group identified as Earth Minotaur, has been instrumental in surveillance efforts, with stolen data being managed through attacker-controlled admin panels known as SCOTCH ADMIN. As of early 2024, over 600 compromised devices were recorded across multiple panels.
These incidents highlight the growing risk of mobile-focused cyber threats, with reports noting that in 2024, iOS users faced phishing attacks at more than double the rate of Android users. Recent developments also include the arrest of an individual suspected of espionage activities against the Uyghur community in Sweden.
