Remove PlainGnome Android trojan

PlainGnome Android trojan is a stealer trojan that’s not only capable of stealing information but also has spying capabilities. The malware is believed to be operated by a Russian state-backed threat actor known as Gamaredon. Specifically, it’s associated with the Federal Security Service of the Russian Federation (FSB). The targets are Russian-speaking users in former USSR states, likely high-profile individuals.

 

 

PlainGnome Android trojan is a very serious infection with capabilities that allow it to essentially spy on users. The malware seems to target Russian-speaking users in former USSR states like Kazakhstan, Uzbekistan, and Tajikistan. It’s worth stressing that the malicious actors operating this malware are Russian state actors, specifically associated with the FSB.

The malware appears to be spread via fake image gallery apps. When users’ devices get infected, the malware first needs to trick users into granting the “REQUEST_INSTALL_PACKAGES” permission. If the permission is granted, the malware then shows a new window with a button that says “catalog” in Russia. If users click the button, the malware can fully initiate.

The malware’s range of capabilities is very alarming. It can steal a lot of information, including device information, mobile service provider details, contacts, call logs (phone numbers, contact names, incoming/outgoing calls, date/time, and duration), notifications, received/sent SMS (date/time, recipients, SMS contents), location, and browsing histories. If that’s not enough, the malware also records surrounding audio and can take photos. This means that the PlainGnome Android trojan can essentially spy on users and record conversations. Interestingly enough, the malware may stop recording audio when the device is being used to prevent users from noticing the microphone logo that is displayed in the status bar when it’s used.

Infections like the PlainGnome Android trojan are very serious, particularly because they are operated by Russian state actors.

How is the PlainGnome Android trojan distributed?

Like all Android malware, the PlainGnome Android trojan can be distributed in several different ways. However, at the moment, it appears to be spread via deceptive image gallery apps. These malicious apps can be found on various third-party app stores and questionable download sites, disguised as legitimate ones. This is generally the method used when malicious users target users on a massive scale.

When targeting specific individuals, malicious actors often employ phishing and social engineering tactics, such as emails and messages. If they have certain personal information about their targets, these phishing and social engineering attempts can be highly sophisticated and seem very credible, increasing the chances of targets interacting with them. Users may come across Android malware when engaging in pirating activities, particularly when downloading cracks or copyrighted content. Malware is commonly found on various third-party app stores and unreliable download sites as well.

How to protect yourself from Android malware

Users who are more careful when online tend to infect their devices significantly less frequently. It’s a good idea to develop good browsing habits, some of which include:

Researching apps before downloading

It’s very important to research apps before installing them. Users should look into the developer, check the reviews, and carefully review the permissions the app requests. Users should never download any apps from any sources without double-checking all the information.

Using legitimate stores/platforms to download apps

We strongly recommend that users use official app stores, such as the Google Play Store to download apps. Third-party app stores often lack proper security, making it very easy for malicious users to upload malicious apps disguised as legitimate ones. The Google Play Store is the safest option for downloading apps due to the security measures designed to prevent malware. Although some malware may occasionally slip through Google’s defenses, this is quite rare when compared to the risks associated with third-party app stores.

Always carefully reviewing requested permissions

A good way to avoid Android malware is to thoroughly evaluate the permissions requested by apps prior to granting them. When an app is installed, it typically asks for specific permissions to function properly. However, it’s very important that users are always very cautious when granting these permissions. For instance, if a user downloads a game that asks for permission to access their messages or make calls, this should be an immediate red flag.

Keeping the device up to date

Keeping all devices updated is crucial, as updates address known vulnerabilities that could be exploited by malicious actors. It’s essential to install these updates as soon as they become available to protect devices.

Not clicking on unknown links or open unsolicited email attachments

This is relevant to all users, regardless of the type of device they use. It’s essential to exercise caution with unsolicited SMS messages, emails, or any other communications that contain links or attachments. Remember that legitimate government agencies (such as law enforcement and tax agencies), banks, and similar institutions never send messages or emails with clickable links. It’s advisable to avoid clicking on unknown links and to refrain from opening unsolicited email attachments without first verifying that they are safe. This can be done by scanning them with an anti-virus program or using VirusTotal.