HOMETHREATSPlainGnome
MALWARE FAMILY

PlainGnome

Internal ID: apk.plain_gnome
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to Lookout, PlainGnome consists of a two-stage deployment in which a very minimal first stage drops a malicious APK once it’s installed. The code of PlainGnome’s second stage payload evolved significantly from January 2024 through at least October. In particular, PlainGnome’s developers shifted to using Jetpack WorkManager classes to handle data exfiltration, which eases development and maintenance of related code. In addition, WorkManager allows for specifying execution conditions. For example, PlainGnome only exfiltrates data from victim devices when the device enters an idle state. This mechanism is probably intended to reduce the chance of a victim noticing the presence of PlainGnome on their device. As opposed to the minimalist first (installer) stage, the second stage carries out all surveillance functionality and relies on 38 permissions.

Threat Analysis

PlainGnome is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

apk.plain_gnome

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
PlainGnome — Malware Family | Threat Intelligence | CTIWATCH.COM