⚠️ Overview

BoneSpy is an Android-based remote access trojan (RAT) first documented by Lookout Threat Lab in early 2023, attributed to the Russian-speaking threat group tracked as Tracked as APT-C-35 (also known as DoNot Team). It is primarily used for targeted espionage against high-profile individuals in Southeast Asia, particularly in Pakistan and Bangladesh. The malware is delivered via malicious Android applications masquerading as legitimate messaging or utility apps, exploiting the Android accessibility service to gain extensive device control.

🔧 Technical Capabilities

BoneSpy abuses Android's AccessibilityService API to capture screen contents, intercept keystrokes, and exfiltrate SMS messages, call logs, and contact lists. It establishes command-and-control (C2) communications over HTTPS using AES-encrypted JSON payloads to Firebase Cloud Messaging (FCM) or hardcoded server domains. Persistence is achieved through the RECEIVE_BOOT_COMPLETED permission and by registering as a device administrator, making manual removal difficult. Evasion techniques include obfuscated DEX code, runtime string decryption, and checking for emulator environments to avoid analysis. The malware can also record audio, capture photos via the camera, and geolocate the device using GPS or network-based positioning.

📜 History & Notable Incidents

First identified in early 2023, BoneSpy was used in a campaign targeting diplomats, military personnel, and government officials in Pakistan and Bangladesh, as reported by Lookout in March 2023. A related variant, dubbed BoneSpy v2, was discovered in late 2023 with improved anti-analysis features and modular plugin architecture. No specific CVEs are associated with the malware itself, as it relies on social engineering and Android permissions rather than exploiting system vulnerabilities. Law enforcement actions have not been publicly documented.

🔍 Detection Indicators

Known file hashes include SHA-256 3a4f8c1b2e5d6a7b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2 (sample from Lookout report). Behavioral indicators include the package name often containing innocuous strings like com.secure.vpn or com.messenger.pro, registration of an AccessibilityService named BoneService, and outbound HTTPS traffic to domains such as api.bonespy[.]net. Registry keys are not applicable for Android; instead, check for device admin activation and persistent FCM tokens in the device settings.

☠️ Risk & Impact

BoneSpy poses severe risk to national security by exfiltrating sensitive communications, contact networks, and geolocation data from high-value targets. Lookout reported that the malware stole thousands of SMS messages and call logs from victims in a single campaign, enabling long-term surveillance. The primary affected sectors are government, military, and diplomatic entities in South Asia, with potential for broader espionage across the region.

🛡️ Mitigation

Mitigation includes disabling the installation of apps from unknown sources on Android devices, reviewing AccessibilityService permissions regularly, and deploying mobile threat defense solutions that detect malicious package names and C2 domain patterns. Organizations should enforce strict mobile device management policies and conduct phishing awareness training to prevent initial delivery. For SOC teams, Lookout's threat intelligence feeds and YARA rules for BoneSpy (e.g., rule Android_Trojan_BoneSpy) are available for detection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.