Cybersecurity usually focuses on one device, at least from a consumer perspective. But in an increasingly interconnected world, this approach may need to be revisited. Case in point: newly discovered malware used by state-sponsored hacker groups. Private security company ESET has discovered that a tool installed on a Windows PC will search the memory of any connected phone for even more information to steal.
The Dolphin malware is linked to several spyware and digital espionage groups believed to be working for the North Korean government, primarily to gather information on governments and industries in South Korea and other Asian countries. It is deployed for specific purposes. The tool uses fairly standard Python-based search methods on the victim’s computer and then uploads sensitive information such as passwords and other security credentials to a Google Drive account from where hackers can easily retrieve it. It also collects keystrokes for passwords, target extension files, and screenshots. The ESET report was discovered by BleepingComputer.
What is interesting is the extended set of hardware. Once installed on a Windows device, Dolphin will also scan any portable storage connected via the Windows Portable Device API. This is the system that recognizes the storage of an Android or iPhone as different from, say, a USB stick. When connected, Dolphin performs the same search for confidential information and files in the phone’s memory. There doesn’t seem to be a means of actively compromising the phone when it’s physically disconnected from the PC.
Currently, Dolphin is being used for waterhole attacks that infect websites frequented by high-level users associated with governments, banks, and other potential high-level targets. This indicates that it is being used to target specific users or groups that have access to valuable data or systems. In other words, this is not the kind of infection you get by downloading a snippet browser extension. However, it’s a sobering reminder that the data storage on your phone is no more or less secure than that on your PC… and both can become vulnerable to the other.