A newly uncovered malware campaign has leveraged fake dating and social media apps to infect mobile devices and steal personal data from users on both Android and iOS. Security researchers at Zimperium identified over 250 malicious apps distributed via more than 80 domains, some posing as dating platforms to lure unsuspecting victims into installing malware.
Dubbed “SarangTrap,” the campaign relied on phishing websites designed to mimic legitimate app stores and well-known brands. Once a user downloaded one of the fake apps – many of which appeared to be dating or social networking tools – they were prompted to enter an invitation code. This process gave the attackers access to sensitive device permissions, under the guise of app functionality.
In reality, the apps had no legitimate features. Instead, once installed, they downloaded a payload capable of harvesting a wide range of personal data, including contacts, photos, text messages, phone numbers, and device identifiers. Some victims were reportedly threatened with extortion, as attackers threatened to leak their private information or images unless demands were met.
While most of the apps targeted users in South Korea — as indicated by the prevalence of Korean-language app names – Zimperium warns that the campaign’s reach could extend globally. iPhone users were also at risk, with attackers using malicious configuration profiles to bypass Apple’s standard app protections.
