In one of the most psychologically manipulative malware campaigns uncovered in 2025, Zimperium's zLabs has revealed a sprawling, cross-platform operation dubbed SarangTrap. This mobile malware campaign uses emotional lures, polished user interfaces, and fake dating platforms to gain unauthorized access to sensitive data—and it's evolving fast.
"This is more than a malware outbreak. It's a digital weaponization of trust, emotion, and isolation," writes Rajat Goyal, lead researcher at Zimperium, about the report.
SarangTrap uses fake apps disguised as dating, file-sharing, and utility services to lure users—particularly targeting emotionally vulnerable individuals in regions like South Korea. Key tactics include:
-
250+ malicious Android apps and 80+ phishing domains
-
Realistic landing pages indexed by Google, ranking for dating-related terms
-
"Exclusive invite codes" to build trust and justify invasive permission requests
-
Data exfiltration includes contacts, selfies, SMS, and device information
"The apps display sleek UIs and exclusive prompts, only to begin silent data harvesting once users interact,” the report states.
On iOS, users are manipulated into installing malicious configuration profiles—an advanced technique to bypass App Store restrictions and access private data.
What sets SarangTrap apart is not just its technical approach but its emotional engineering. Zimperium cites real-world victim stories, including a man extorted after a fake dating app covertly recorded him and accessed his contacts.
"The SarangTrap campaign is a deeply manipulative and technically sophisticated mobile malware operation that weaponizes human vulnerability through fake dating and social apps," said Nico Chiaraviglio, Chief Scientist at Zimperium. "By combining social engineering with stealthy permission requests and evolving evasion tactics, the attackers are successfully harvesting sensitive personal data from both Android and iOS users."
The campaign's operators continue to iterate. Newer Android variants omit SMS permissions from the manifest while retaining the exfiltration code, allowing them to evade dynamic analysis and antivirus tools.
With polished user interfaces, fake exclusivity (like "invite-only" access), and emotionally charged lures, victims are drawn into sharing contacts, selfies, phone numbers, and more. Some phishing domains were even indexed by Google, appearing in legitimate search results, giving the scheme a veneer of credibility.
"It's not just technical—it's psychological warfare," Zimperium researchers noted.
The anatomy of the attack is fascinating, and terrifying. Fake apps mimic Tinder, Bumble, and other popular social platforms, complete with realistic UI and onboarding flows.
Victims are urged to provide personal information and grant extensive permissions, often via guilt-tripping messages or fake romantic interest. Once data is exfiltrated, some users reported extortion attempts, threatening to leak sensitive photos or contact lists unless demands were met.
The campaign marks a disturbing fusion of malware, phishing, and emotional manipulation, placing it in a category all its own.
OT systems could be at risk by association. While SarangTrap is a mobile-first threat, its timing aligns with findings from Fortinet's 2025 State of Operational Technology and Cybersecurity Report. That report found a 60% increase in attacks affecting both IT and OT systems, and emphasized the importance of integrating mobile, endpoint, and OT security efforts.
"Mobile malware like SarangTrap shouldn't be siloed as a consumer issue," said one CISO. "Bring-your-own-device (BYOD) policies mean this kind of emotionally-driven attack could compromise employee devices and introduce risk into OT-adjacent networks."
Zimperium mapped the campaign to several MITRE ATT&CK tactics, including:
-
T1655.001: Masquerading legitimate app names
-
T1426 / T1420 / T1422: Device and network discovery
-
T1533 / T1636.003: Contact and file exfiltration
-
T1437.001 / T1646: C2 communication via HTTP
-
T1582: SMS control
Practitioners should be doing the following, if they are not already:
-
Harden BYOD policies and revisit mobile threat defense (MTD) integration with your existing EDR/XDR platforms.
-
Block known SarangTrap domains at the network and DNS level.
-
Train staff on mobile phishing tactics, especially those involving dating or emotionally manipulative themes.
-
Monitor app behavior for unusual permission requests, especially among newly installed apps mimicking social platforms.
