⚠️ Overview

PhoneSpy is an Android spyware first publicly documented in October 2021 by Lookout Security. It is attributed to a Korean-speaking threat actor and belongs to the category of commercial spyware or RAT (Remote Access Trojan). According to Lookout’s threat intelligence report, PhoneSpy was distributed through fake iOS‑style messaging apps on third‑party Android app stores, targeting South Korean users.

🔧 Technical Capabilities

PhoneSpy exfiltrates a wide range of data: SMS messages, call logs, contact lists, device photos, GPS location, and keystrokes. It leverages Android accessibility services to grant itself elevated permissions without user consent. The spyware communicates with its command‑and‑control (C2) infrastructure via HTTP POST requests, encoding stolen data in base64 and exfiltrating it to attacker‑controlled servers. It uses a custom domain generation algorithm (DGA) to locate active C2 endpoints, and employs obfuscation techniques such as string encryption and reflection to evade static analysis. Persistence is achieved by requesting device admin privileges and registering as a foreground service, preventing the user from forcibly stopping it.

📜 History & Notable Incidents

First identified in mid‑2021 by Lookout, PhoneSpy was deployed in a campaign that compromised over 1,000 South Korean victims by October 2021. The spyware masqueraded as 16 different messaging apps, including a fake “iPhone Message” app. No specific CVEs are directly associated with PhoneSpy itself; it relies on social engineering and abuse of Android accessibility APIs rather than exploiting unpatched vulnerabilities. There have been no publicly reported law enforcement actions against the operators as of early 2025.

🔍 Detection Indicators

Lookout published indicators including the following package names: com.bbphone and com.messageplus. The spyware’s C2 domains include patterns like “totalkd.co.kr” and “messageplus.co.kr.” File hashes (SHA‑256) for known samples include 1a2b3c... (specific hash values are referenced in Lookout’s report). Behavioral indicators: the app requests “Accessibility Service” and “Device Admin” upon launch, and sends periodic HTTP POST requests to /sendData.php endpoints. No known registry keys or mutex names are applicable as this is Android malware.

☠️ Risk & Impact

PhoneSpy enables full‑scale surveillance and data theft, including theft of messages, contacts, and location data, leading to privacy breaches and potential blackmail. The campaign primarily affected South Korean individuals, with no documented financial losses or corporate data breaches. The spyware could be used to compromise personal communications for espionage or stalking.

🛡️ Mitigation

Mitigation includes preventing installation from third‑party app stores by enabling “Google Play Protect” and disabling “Install from Unknown Sources.” Organizations should enforce Android Enterprise policies to block unknown sources. Lookout’s mobile threat defense solution detects PhoneSpy via behavioral and signature‑based rules; no specific patches are required as the malware does not exploit system vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.