Executive Summary
In recent weeks, our zLabs team uncovered a highly coordinated and emotionally manipulative malware campaign targeting mobile users on both Android and iOS platforms. This extensive campaign involved over 250 malicious Android applications and more than 80 malicious domains, all disguised as legitimate dating and social media applications. Threat actors used these domains to deceive users into installing malware designed to extract sensitive personal data, such as contact lists and private images, all while maintaining a convincing appearance of normalcy. These malicious apps specifically targeted a diverse audience, including dating app users, cloud file service seekers, and car service platforms (see Figure 1).
Fig. 1: Icon of the apps distributed via phishing domains
Fake Apps, Real Threats: Distribution Method
The campaign used carefully crafted phishing domains to mimic legitimate brands and app stores, thereby tricking users into downloading the malware. As shown in Figure 2, these deceptive pages promoted downloads for both Android and iOS, masquerading as legitimate services like dating platforms, cloud storage, etc.
Once installed, the app displays a slick, seemingly harmless UI and requests permissions under the guise of needing full functionality.
From SMS to selfies: It's Spying On You!
Upon installation, the app prompts users to enter a valid invitation code, creating the illusion of a private or exclusive service. Once the user submits the code, it’s sent to the attacker's command-and-control (C2) server for validation. Only after verifying the code does the app proceed to request sensitive permissions, which are displayed on a screen as shown in Figure 3, prompting access to SMS, files, and contacts.
This carefully orchestrated process allows the malware to remain unnoticed. By waiting until the user fully interacts with the interface, including entering the invitation code, the app successfully evades detection by most dynamic analyses and antivirus scans that typically only monitor initial behavior.
After granting permission, the app reveals a deceptive interface. As shown in Figure 4, It merely displays SMS messages from the device, along with buttons to select contacts and images, but it contains no actual dating features or functionality. It’s purely a facade designed to make the user believe they’re using a legitimate service while their private data is silently being stolen in the background.
Behind the scenes, as shown in the Figure 5, the app silently begins exfiltrating user data to the attacker's server, including:
- Phone number and device identifiers
- Full Contact List
- Private Images (compressed via the Luban image compression library)
- SMS messages (If permission is granted)
iOS version
In addition to the Android campaign, our analysis revealed that the attackers also target iOS users using a deceptive mobile configuration profile. When the user chooses to install the app on the iPhone, they are instructed to follow a three-step installation process, as shown in Figure 6. Once installed, this profile grants the attacker access to sensitive user data, including contacts, photos, and the photo library.
This discovery confirms that the SarangTrap campaign is cross-platform, employing tailored strategies for both Android and iOS users, which significantly expands its threat landscape.
Still Cooking: TA’s Are Testing What Works
In the latest samples analysed, we have observed a notable shift in the malware’s strategy; the app no longer declares SMS-related permissions in the manifest file.
However, despite the absence of SMS permissions in the manifest, the actual code for SMS exfiltration remains intact within the app’s source. This suggests that the malware is still under active development, with the threat actors experimenting with different configurations to bypass security mechanisms while preserving core spyware functionality.
In this new variant, the malware requests only three permissions — access to contacts, external storage, and phone information — completely omitting the SMS permission from both the manifest and runtime prompts. Despite this, it still performs extensive data exfiltration, uploading contacts, images, and device information (including the phone number) to the attacker's command-and-control server. This marks a shift from the initial version, which also requested SMS-related permissions and actively exfiltrated message content, highlighting how the threat actors are experimenting with permission combinations to improve stealth and evade antivirus detection.
Scale of the Campaign
The breadth and sophistication of this malware campaign reveal a deeply coordinated operation targeting mobile users, particularly in South Korea, with frightening effectiveness. Our threat research uncovered a network of 88 unique domains, of which more than 70 were actively distributing malware and functioning as phishing websites.
What makes this campaign especially dangerous is its high visibility online; over 25 of these malicious domains were indexed by Google, ranking for common dating-related search terms. This allowed them to appear as legitimate results in search engines, creating a false sense of trust for users simply looking to download legitimate apps.
As shown in the table below, the translated titles of these indexed phishing pages reveal how the threat actors tailored their content to appear friendly, localized, and emotionally appealing, ranging from platforms for making new friends to tools for accessing private file-sharing.
|
Identified Phishing Page Titles (Indexed by Google) |
Translated Text |
|
Bunny-동네친구,외국인친구,술친구,애인만들기 |
Bunny - Making neighborhood friends, foreign friends, drinking friends, and lovers |
|
Sfile,저장공간,비밀문서,비밀사진,사진공유가 필요할때 |
When you need Sfile, storage space, secret documents, secret photos, and photo sharing |
|
그 동안 부담됐던 월 렌트료 이제그만 고민하세요 Car Solution에서 해결해드립니다! |
Stop worrying about the monthly rent that has been burdensome for so long. Car Solution will solve it for you! |
|
동네친구,외국인친구,술친구,애인만들기 |
Making local friends, foreign friends, drinking friends, lovers |
|
YOLO!-동네친구,외국인친구,술친구,애인만들기 |
YOLO! - Make local friends, foreign friends, drinking friends, and lovers |
|
LOVES-동네친구,외국인친구,술친구,애인만들기 |
LOVES - Making local friends, foreign friends, drinking friends, lovers |
|
King클라우드,저장공간,비밀문서,비밀사진,사진공유가 필요할때 |
When you need King Cloud, storage space, secret documents, secret photos, and photo sharing |
|
Wolf-동네친구,외국인친구,술친구,애인만들기 |
Wolf - Making neighborhood friends, foreign friends, drinking friends, and lovers |
|
플러팅♡-동네친구,외국인친구,술친구,애인만들기 |
Flirting ♡ - Making neighborhood friends, foreign friends, drinking friends, lovers |
|
Z클라우드,저장공간,비밀문서,비밀사진,사진공유가 필요할때 |
When you need Z Cloud, storage space, secret documents, secret photos, and photo sharing |
|
yeosin19Erotic-동네친구,외국인친구,술친구,애인만들기-에로톡 |
yeosin19Erotic - Making neighborhood friends, foreign friends, drinking friends, lovers - Erotic talk |
|
국내1위!! 키스방-즐겁고 건전한 놀이문화를 탈출하세요 |
#1 in Korea!! Kiss Room - Escape the fun and healthy play culture |
One of the most striking indicators of the campaign’s scale is the more than 250 unique Android malware samples that we identified. These apps were designed to appear harmless, featuring sleek interfaces and fake functionalities, while silently harvesting contacts, device information, images, and, in earlier versions, SMS content. Even more concerning is how the attackers evolved their tactics, as seen in newer variants that omit critical permissions from manifest files to better evade security tools.
The timeline of domain registrations also reveals a methodical approach. Our data shows spikes in domain creation activity, indicating coordinated rollouts designed to flood the internet with phishing fronts during certain periods, all while continuing to refine the malware’s evasion techniques.
As shown in Figure 8, the domain creation vs. timeline graph highlights the burst patterns of domain registration and their ongoing activeness.
Fig. 8: Graph showing the number of domains registered by threat actors over time
Perhaps the most sobering evidence of this campaign’s impact comes from a real-life testimony on a Korean blog (see Figure 9). A man recounted how he installed what appeared to be a dating app after a breakup. A fake profile soon contacted him, initiating an emotionally manipulative conversation. Eventually, he was sent a link and a code to access a supposed “personal video,” which was part of the scam. Unbeknownst to him, the app secretly accessed his contacts and recorded video content, which was later used to blackmail him with threats of sharing the footage with family members.
This unsettling story is not an isolated incident; it highlights the psychological manipulation and social engineering tactics that these campaigns employ to take advantage of emotional vulnerability. Victims are enticed into installing malware with the promise of companionship, only to discover that they are caught in a cycle of surveillance, extortion, and humiliation.
In short, this is more than a malware outbreak. It’s a digital weaponisation of trust, emotion, and isolation, disguised behind fake apps and phishing domains — and it’s still evolving.
Zimperium vs SarangTrap
Zimperium's on-device Mobile Threat Defense (MTD) solution and zDefend customers are fully protected against the SarangTrap malware. Our advanced detection capabilities identify the malware samples and iOS Profiles.
At the same time, MTD customers have an extra layer of security by detecting the malicious links used to distribute this campaign.
By continuously monitoring and adapting to evolving threat landscapes, Zimperium ensures comprehensive protection for mobile devices against sophisticated malware like SarangTrap.
MITRE ATT&CK Techniques
To help our customers and the industry understand the impact of this malware, Zimperium has compiled the following table containing the MITRE Tactics and Techniques as reference.
|
Tactic |
ID |
Name |
Description |
|
Defense Evasion |
Masquerading: Match Legitimate Name or Location |
Malware pretending to be a genuine app. |
|
|
Discovery |
System Information Discovery |
The malware collects basic device info. |
|
|
File and Directory Discovery |
Enumerates files and directories on external storage. |
||
|
System Network Configuration Discovery |
Collects IP and SIM information. |
||
|
Protected User Data: Contact List |
It exports the device’s contacts. |
||
|
Collection |
Data from Local System |
Collects files from external storage. |
|
|
Command and Control |
Application Layer Protocol: Web Protocols |
Uses HTTP protocol to communicate with C&C server. |
|
|
Exfiltration |
Exfiltration Over C2 Channel |
Sending exfiltrated data over C&C server. |
|
|
Impact |
SMS Control |
It can read SMS messages. |
Indicators of compromise (IOCs)
The IOCs for this campaign can be found in the following repository.
