A newly discovered large-scale malware campaign, identified as SarangTrap, is targeting mobile users by posing as dating and social networking applications. This advanced operation has infiltrated both Android and iOS ecosystems, using over 250 malicious apps and more than 80 phishing domains, with a notable concentration of victims in South Korea.

Deceptive Tactics and Emotional Engineering

According to research by Zimperium, SarangTrap leverages emotional manipulation to lure victims. Fake user profiles, exclusive “invitation codes,” and professional-looking app interfaces are used to create a false sense of legitimacy and urgency. Once installed, these apps request permissions that appear necessary but are actually gateways for data exfiltration.

Victims are prompted to enter a code, which activates hidden spyware designed to collect and transmit sensitive information—including contacts, messages, photos, and device identifiers—to remote attacker-controlled servers.

Advanced Evasion Techniques

Zimperium’s zLabs team has observed a clear evolution in SarangTrap’s methods. In recent Android samples, developers have removed visible SMS permissions from app manifests, a tactic likely aimed at evading detection during security scans—while still maintaining the ability to extract messages silently through embedded code.

On iOS devices, rather than distributing malicious apps directly, attackers are using malicious mobile configuration profiles. Once accepted by the user, these profiles allow unauthorized access to sensitive data without triggering standard security alerts.

The campaign has established 88 unique domains, over 70 of which are actively used to distribute the malware. At least 25 domains have been indexed by major search engines and appear in search results for terms related to dating, file sharing, and social apps—adding to their perceived credibility.

Real-World Consequences and Ongoing Threat

Zimperium’s investigation reveals a troubling mix of technical sophistication and emotional exploitation. One known victim—a man grieving a breakup—was manipulated through a fake dating profile. After installing one of the malicious apps, he became a target of blackmail, with attackers threatening to release personal media to his family.

Despite some variants omitting key permissions, the malware continues to exfiltrate substantial amounts of private data. This shows the attackers are actively refining their methods to maximize reach while minimizing exposure.

Staying Protected

Security experts recommend users avoid downloading apps from third-party stores, be wary of apps that require invitation codes or ask for suspicious permissions, and routinely check for unknown configuration profiles or device settings changes.

The SarangTrap campaign remains active and adaptive, emphasizing the growing need for vigilance, user education, and robust mobile threat detection strategies in both personal and enterprise environments.

Source: https://www.infosecurity-magazine.com/news/malware-campaign-dating-apps