A sophisticated and widespread malware campaign, dubbed “SarangTrap,” has been identified targeting mobile users with fake dating and social networking applications to harvest sensitive personal information. Security researchers at Zimperium uncovered the operation, which spans both Android and iOS devices and has utilized more than 250 distinct malicious apps and over 80 phishing domains. The campaign appears to have a strong focus on users in South Korea, exploiting social engineering to compromise a vast number of devices.
The core of SarangTrap’s strategy lies in emotional manipulation and deceptive design. Attackers lure victims using fake online profiles and offer exclusive “invitation codes” to access what appear to be legitimate, polished applications. Once a user installs one of these apps and enters the provided code, hidden spyware routines are activated. Although the app requests permissions that seem plausible for a social networking service, these permissions are abused to access and silently transmit a trove of personal data—including contact lists, private images, SMS messages, and unique device identifiers—to servers controlled by the attackers.
The threat actors have demonstrated an ability to adapt their methods to avoid detection. Recent analysis of newer Android samples shows that developers have removed specific permissions, such as for SMS access, from the app’s manifest file. However, the underlying code to exfiltrate messages remains, suggesting a deliberate tactic to bypass automated security scans that look for suspicious permission requests while still retaining the malware’s core spying capabilities. This continuous experimentation highlights the campaign’s ongoing evolution to maintain its effectiveness against modern security measures.
SarangTrap’s reach is not limited to the Android ecosystem; it also employs a clever strategy to target iOS users.
Instead of relying on traditional app installations, the campaign distributes malicious mobile configuration profiles. When an unsuspecting user installs one of these profiles, it grants the attackers broad access to their contacts, photos, and device information without triggering the same level of security warnings as a standard app install. This cross-platform approach is amplified by a network of 88 unique domains, many of which have been indexed by search engines, lending a false sense of credibility to the malicious downloads.
The scale and persistence of the SarangTrap campaign underscore a significant threat to mobile security. With hundreds of malware variations designed to evade detection and a robust distribution infrastructure, the operation successfully blends technical evasion with psychological manipulation. Despite some apps having reduced visible permissions, the core functionality remains potent, allowing for the continued large-scale exfiltration of private data from victims who believe they are engaging with a legitimate online service.
Reference:
