Kaspersky Lab has discovered a brand new cyber-spying campaign targeting Android users via Telegram chat app and infected websites while watering holes is the preferred attack vector. Watering holes is a technique in which famous websites are infected with malware so that visitors unknowingly get their devices infected.
The main targets of this campaign are users in the Middle East and North Africa (primarily Morocco, Egypt, Lebanon, Jordan, and Iran). Researchers claim that there are four different versions of the malware, dubbed as “ZooPark,” that have been identified so far. It is believed that the malware was developed between June 2015 and 2017 and each version was advanced than the previous one.
“From the technical point of view, the evolution of ZooPark has shown notable progress: from the very basic first and second versions, the commercial spyware fork in its third version and then to the complex spyware that is version 4,” wrote Kaspersky Lab researchers.
The most recent version that has been identified by Kaspersky Lab can exfiltrate vast reserves of data including contacts information, text messages, keylogs, call audio, GPS location and other important data from the device.
It can also capture images, screenshots and record audio/video conversations, which researchers are claiming to be an “interesting” capability as it shows the extent to which malware developers have improved the code functionality over the years. They have managed to transform it into a very sophisticated malware so it is evident that this version might have been created using “specialist surveillance tools.”
Evolution of ZooPark malware features (Credit: Kaspersky Lab)
A number of news websites are identified to be infected by the hackers so as to redirect visitors to downloading link that infects the device with malicious APKs.
After the infection process is successfully completed, ZooPark starts stealing private and confidential data from the device, for which it not only scans system memory but also the data stored on SD card. It obtains details about installed applications, clipboard data, and browser data too.
Malware developers are using Telegram channels to spread the malware. Kaspersky report describes that one of the channels used for this malicious purpose was active between 2015 and 2016 and the infected links that it distributed were of an illegitimate app for Iranian province Kurdistan. Consequently, Telegram chat app has been blocked in Iran.
Also mentioned in the report are examples of various famous Arabic news websites that also were used as watering holes for the cyber-espionage campaign.
Nearly 100 targets have so far been detected by Kaspersky, claims malware analyst at the firm Alexey Firsh, and there is also an indication that the targets are specially selected. There are also hints on the involvement of a nation-state in this campaign, states Firsh.
“More and more people use their mobile devices as a primary – or sometimes even only – communication device. That is certainly being spotted by nation-state sponsored actors, who are building their toolsets so they will be efficient enough to track mobile users.”
