Android malware on Play Store targeting Palestinians on Facebook

Arabic Facebook Sign-in Page used by Millions of Users Arround the World

We have reported time and again about the widespread malware and espionage attacks that are taking place on Facebook. In fact, it won’t be wrong to state that the social network has become the hub of nation-state spying activity. However, it is the first time that Palestinians have been targeted with Android spyware all thanks to a fake Facebook page.

The IT security experts at Lookout identified two different campaigns where hackers used Android applications to carry out targeted surveillance across the Middle East.

In one of the campaigns, a fraudulent female was found to be advertising about a malicious application on Facebook that was capable of bypassing the security of the Google Play app marketplace. She was distributing an application titled Dardesh, which is a chat app that was available on Google’s official Play Store for Android tools. This fake app was removed by Google in April.

Android malware on Play Store targeting Palestinians on Facebook
Screenshot of the fake Facebook page

The malware was hidden in this app, which basically was created using two types of already identified spyware called Desert Scorpion and FrozenCell. Palestinians are the main targets of this malicious app. After the app gets installed it switches on the microphone and records conversations as well as track location of the user and steals contact, calls, and text related information.

The apps are developed from two different families of malware, which are designed for surveillance. Both the malware targeted nearly a thousand unsuspecting users while ViperRAT was distributed using social engineering skills. ViperRAT uses infected devices to capture photos and record conversations. ViperRAT is incorporated into both the Android apps while the same malware was previously noted to be targeting members of Israeli Defense Force.

The group responsible for creating and distributing the malware is called APT-C-23. The group is targeting users in the Middle East and Palestine. The group’s fake page was created in October 2013 and operated by someone using the handle @kalmat1990. Cybersecurity firm Lookout revealed that this page features more than 5,000 followers and likes.

It is worth noting that the spyware couldn’t infect a large number of users since, on Google Play Store, the total number of downloads only reached 500 prior to the removal of this app. However, the group has been adopting notorious ways to spy over targets in the Middle East and Palestine, which refers to adopting malicious functionality into multiple stages, which are downloaded one-by-one while the execution process is underway.

“The Lookout Threat Intelligence team is increasingly seeing the same tradecraft, tactics, and procedures that APT-C-23 favors being used by other actors. The approach of separating malicious functionality out into separate stages that are later downloaded during execution and not present in the initial app published to the Google Play Store, combined with social engineering delivered via social media platforms like Facebook, requires minimal investment in comparison to premium toolings like Pegasus or FinFisher,” Lookout said.

Lookout also discovered two other chat apps namely Vokachat and Chattak that were being used for government surveillance. Both were featured on Google’s official store and downloaded over a 1,000 times collectively. What’s surprising is the fact that ViperRAT spyware was hidden in each app’s malicious code. Currently, it is not clear whether these two chat apps were used to target Israeli Defense Forces or not.

Regardless if it gets confirmed or not as to which was actually the target, what we can extract from the abovementioned reports is that Facebook is a thriving hub of malicious spying activities of hackers.

Image credit: Depositphotos

Related Posts