PlainGnome Propose Change

Actor(s): Gamaredon Group

According to Lookout, PlainGnome consists of a two-stage deployment in which a very minimal first stage drops a malicious APK once it’s installed. The code of PlainGnome’s second stage payload evolved significantly from January 2024 through at least October. In particular, PlainGnome’s developers shifted to using Jetpack WorkManager classes to handle data exfiltration, which eases development and maintenance of related code. In addition, WorkManager allows for specifying execution conditions. For example, PlainGnome only exfiltrates data from victim devices when the device enters an idle state. This mechanism is probably intended to reduce the chance of a victim noticing the presence of PlainGnome on their device. As opposed to the minimalist first (installer) stage, the second stage carries out all surveillance functionality and relies on 38 permissions.

References

There is no Yara-Signature yet.