SEOUL: A sweeping cross-platform malware campaign dubbed SarangTrap has emerged as a serious threat to mobile users, with researchers identifying over 250 Android malware samples and more than 80 malicious domains designed to mimic dating and cloud service platforms. The coordinated operation, first flagged by Zimperium’s zLabs, employs social engineering tactics to extract highly sensitive personal data, including photos, contacts, and even SMS messages, while presenting a harmless user interface.
Malware Hidden in Dating, Cloud, and Ride-Hailing Apps
The attackers behind the SarangTrap campaign created phishing domains and fake mobile apps with sleek designs and emotionally appealing hooks. These apps, available for Android and iOS, presented themselves as dating platforms, cloud storage tools, and even car service utilities. Once downloaded, they prompt users for an “invitation code,” leading them to believe they are accessing an exclusive service. The code is then transmitted to a command-and-control server, which triggers the malware’s next steps.
After the code is verified, the application begins requesting permissions under the guise of enabling full features. These permissions include access to SMS, files, and contact lists. While the interface continues to show benign activity, such as dummy chat screens or contact selectors, the app operates in the background to harvest user data. Images are compressed using the Luban image compression library before being sent to the attacker’s servers.
Even on iOS devices, attackers deploy a mobile configuration profile that grants similar access to photo libraries and contact information. The installation process is concealed behind a three-step prompt guiding users to bypass standard app store vetting. Once installed, the profile allows data exfiltration without any visible indication of malicious behaviour.
New Malware Variant Evades Detection by Omitting SMS Permissions
More recent samples of the malware show an evolution in its evasion strategy. The latest Android variants no longer declare SMS permissions in the manifest file, likely to avoid detection by antivirus programs. However, analysis reveals that the code for SMS exfiltration remains within the source, implying that the functionality could be reactivated or is triggered conditionally.
These updated versions instead request only access to contacts, external storage, and device information, enough to perform large-scale surveillance without raising suspicion. The malware continues to silently upload device metadata, contacts, and images to attacker-controlled servers.
Zimperium researchers believe the campaign is actively being tested and refined, with operators experimenting with permission combinations and manifest configurations to stay ahead of mobile security tools. Their on-device Mobile Threat Defence (MTD) and zDefend solutions have flagged all known samples and phishing links associated with the campaign.
Fraud Resilience Framework by Algoritha Sets New Benchmark in Next-Gen Fraud Risk Management (FRM)
South Korea at Epicentre, But Global Reach Grows
The campaign appears to be especially concentrated in South Korea. Of the 88 phishing domains tracked, more than 70 remain active and accessible. Over 25 of them have been indexed by Google, often appearing in searches for dating or file-sharing apps. This increases the likelihood of users clicking the links, believing they are legitimate services.
Domain registration patterns indicate the operation is highly coordinated, with bursts of activity tied to rollout cycles. Several domains were registered simultaneously, showing a deliberate attempt to flood search engines with lookalike services. The translated names of these domains reveal localisation efforts to appear culturally and linguistically appropriate, enhancing their credibility.
Victims often find themselves socially manipulated into installing these fake apps. In one reported incident from a Korean blog, a man recounted downloading a dating app post-breakup, only to be lured into sharing personal data by a fake romantic profile. The malware accessed his contacts and captured sensitive media, which was then used to threaten and extort him.
Such stories underscore how the malware weaponises trust and emotional vulnerability. Instead of relying on traditional exploit methods, it leans heavily on human psychology to achieve its objectives.