New 'CloudZ' Malware Abuses Microsoft Phone Link to Steal Mobile Data

Executive Summary

Security researchers at Cisco Talos have uncovered a previously undocumented malware campaign that abuses the legitimate Microsoft Phone Link application to steal sensitive mobile data. The attack uses a .NET remote access trojan (RAT) called CloudZ and a specialized plugin named Pheno. Instead of targeting the mobile device directly, the malware infects a user's Windows PC. The Pheno plugin then hijacks the data synced by the Phone Link app, giving attackers access to mirrored SMS messages, notifications, and, most critically, one-time passwords (OTPs) used for multi-factor authentication. This attack vector is particularly dangerous for enterprises as it circumvents mobile security measures and targets company-managed PCs, effectively undermining a common form of two-factor authentication.

Threat Overview

The attack hinges on exploiting the trust relationship established between a user's smartphone and their Windows PC via the Phone Link app. The app is designed to mirror phone notifications, messages, and calls onto the desktop for convenience.

Initial Compromise: The system is first infected with the CloudZ RAT. While the primary delivery method is not fully understood, one observed vector was a fake ScreenConnect application update.
Plugin Deployment: The CloudZ RAT deploys the Pheno plugin onto the compromised Windows machine.
Process Scanning: The Pheno plugin continuously scans for active Phone Link processes, waiting for the user to connect their phone.
Database Theft: Once an active Phone Link session is detected, the malware accesses the application's local SQLite database file on the PC. This database contains a mirrored copy of the phone's recent SMS messages and notifications.
Data Exfiltration: The contents of the database, including sensitive SMS messages and OTPs from authenticator apps, are exfiltrated by the CloudZ RAT to the attacker's command-and-control server.

This entire process occurs without any malware being installed on the smartphone itself. The phone's security is irrelevant; the attack surface is the paired Windows computer.

Technical Analysis

CloudZ is a modular .NET RAT that incorporates several defense evasion techniques, including obfuscation and the ability to detect debuggers and analysis environments. Its capabilities include file management, shell command execution, and screen recording.

The Pheno plugin is the key component for this specific attack. Its sole purpose is to locate and steal the Phone Link SQLite database, which is typically stored in the user's local application data directory (%LocalAppData%). By targeting this database, the attackers gain access to a treasure trove of information that is temporarily synced from the phone.

MITRE ATT&CK Mapping

T1111 - Two-Factor Authentication Interception: The primary goal of the attack is to intercept OTPs to bypass MFA.
T1555.003 - Credentials from Password Stores: Credentials from Web Browsers: While not a browser, the Phone Link SQLite database acts as a local credential and data store that is being targeted.
T1219 - Remote Access Software: CloudZ is a full-featured Remote Access Trojan.
T1560.003 - Archive Collected Data: Archive via Custom Method: The malware accesses and exfiltrates data from the SQLite database.
T1056.001 - Input Capture: Keylogging: Although not the primary method, the CloudZ RAT has capabilities that could include keylogging to capture other credentials.

Impact Assessment

The impact of this attack is significant, particularly for organizations that rely on SMS-based OTPs for multi-factor authentication.

MFA Bypass: The attack allows threat actors to bypass a common security layer, enabling account takeover for corporate email, VPN, financial services, and other critical applications.
Data Breach: Attackers gain access to the content of SMS messages, which can include sensitive personal or business communications, appointment reminders, and other private information.
Credential Theft: Beyond OTPs, the malware can use its other RAT capabilities to steal passwords and other credentials stored on the compromised PC.
Shift in Defense Focus: This attack highlights a weakness in the security model of applications that sync sensitive data across devices. It forces defenders to consider the PC as a potential point of compromise for mobile data.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as IP addresses, domains, or file hashes were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams can hunt for this activity by monitoring for suspicious access to Phone Link data.

Type

File Path

Value

%LocalAppData%\Packages\Microsoft.YourPhone_*\LocalState\*.db

Description

Monitor for unusual processes accessing the Phone Link SQLite database files. Legitimate access should only come from Phone Link processes.

Type

Process Name

Value

YourPhone.exe, PhoneExperienceHost.exe

Description

Baseline the normal behavior of these processes. Alert on child processes that are not standard Windows components.

Type

Command Line Pattern

Value

*ScreenConnect*

Description

The initial vector was linked to a fake ScreenConnect update. Monitor for suspicious installers or scripts invoking this name.

Detection & Response

Endpoint Monitoring: Use an EDR solution to monitor for suspicious processes accessing the Phone Link database path. Any process other than YourPhone.exe or PhoneExperienceHost.exe reading this file is highly suspect. This aligns with D3FEND's Decoy File concept if a canary file is placed in the directory.
Behavioral Analysis: Look for behaviors associated with RATs, such as unexpected network connections, screen recording API calls, or shell command execution originating from unusual processes. Reference D3FEND's User Behavior Analysis.
Limit Application Usage: In high-security environments, consider using Group Policy to restrict or disable the use of the Microsoft Phone Link application on corporate devices.

Mitigation

Phishing-Resistant MFA: The most effective mitigation is to move away from SMS-based MFA. Transition to more secure methods like FIDO2/WebAuthn security keys or authenticator apps that use push notifications with number matching. These methods are not vulnerable to this type of interception.
Endpoint Security: Ensure all endpoints are protected with a modern EDR and antivirus solution capable of detecting and blocking RATs like CloudZ.
User Education: While the attack targets the PC, user awareness about fake software updates and suspicious installers can help prevent the initial compromise.
Application Hardening: As a D3FEND Application Configuration Hardening measure, if Phone Link is not a business-critical application, use application control policies to block its execution on enterprise assets.

To detect the CloudZ RAT's activity on a compromised host, security teams should leverage an EDR solution to perform detailed process analysis. Specifically, create detection rules that monitor for any process other than YourPhone.exe or PhoneExperienceHost.exe attempting to read or access files within the %LocalAppData%\Packages\Microsoft.YourPhone_*\ directory. This is a highly specific and anomalous behavior. Furthermore, baseline the typical behavior of the legitimate Phone Link processes and alert on any deviations, such as spawning unusual child processes (e.g., cmd.exe, powershell.exe) or making network connections to uncategorized IP addresses. This focused monitoring can identify the Pheno plugin's core function and expose the RAT.

'CloudZ' Malware Hijacks Microsoft Phone Link to Intercept SMS and OTPs from PCs