The Android spyware was used to steal personal data of victims – The campaign also shows why users should never use their real photos on Facebook.
There are almost 2 billion monthly active users on the social media giant Facebook and that makes it one of the most lucrative targets for hackers and cybercriminals. Recently, the researchers at Czech IT security researchers at Avast reported a sophisticated campaign in which attackers used Facebook and Facebook messenger to trick users into installing a highly sophisticated Android spyware.
Hackers used fake Facebook profiles of attractive females
The scam was reported to Avast by one of their customers informing about receiving messages on their Facebook messenger carrying strange looking links sent by unknown profiles going by the names of Alona, Christina, and Rita using images of attractive women.
Upon analyzing the scam, researchers quickly identified that the profiles used in the scam were fake, stolen images from real people and used without their knowledge or consent. The women lured the victim to click on the link and install the latest version of Kik Messenger app on their device in order to continue their “flirty conversations”.
However, the link only disguised as the Kik Messenger app, in reality, it would take victims to a “very convincing” phishing website and which hosted the malicious version of Kik Messenger app. Once installed, the spyware app would steal personal data from the device.
Tempting Cedar Spyware & Lebanese connection
Dubbed Tempting Cedar Spyware by Avast researchers, the attack aims at stealing personal data from victims Android devices including photos, contacts list, SMS, call logs, victims’ location and recording surrounding sounds including call conversations.
According to Avast, the operation has been targeting Android users since 2015 and so far it has hunted hundreds of victims in the Middle East. The most targeted victims were from Israel while a small number of victims were identified in China, France, Germany and the United States.
Based on the evidence such as login activity, IP addresses, Middle Eastern time zones, registrant data of domains used by hackers to distribute malware, Avast researchers believe that this campaign is being run from Lebonan. However, at the time of publishing this article, it was unclear if the Tempting Cedar Spyware campaign is still targeting users or it has been shut down.
“The cybercriminals behind the Tempting Cedar Spyware were able to install a persistent piece of spyware by exploiting social media, like Facebook, and people’s lack of security awareness, and were thus able to gather sensitive and private data from their victims’ phones including real-time location data which makes the malware exceptionally dangerous, concluded Avast.”
Just last month researchers at Lookout Security exposed a cyber espionage campaign called Dark Caracal in which attackers targeted thousands of victims across 21 countries. The researchers identified that the campaign is being run from Beirut, Lebanon from a building owned by the Lebanese General Directorate of General Security (GDGS).
Photos used by fake profiles on Facebook
Avast has shared a few blurred photos used by hackers in the operation which indicates that social media users on any site should refrain from using their real photos. On Facebook, users should avoid using their photos as cover or profile photos and make sure their personal photos are only visible to their close friends.
Hamas once targeted IDF with seductive female images
This is not the first time when hackers have used photos of attractive women to trap their victims. In fact, this is not the first campaign in which Israeli users have been lured into installing spyware on their phone by hackers using fake photos of attractive women. In January 2017, Hamas was found hacking dozens of smartphones belonging to IDF (Israel Defense Forces) soldiers using tons of seductive female images on Facebook and tricking soldiers into downloading malware which stole their text messages photos, contacts, WhatsApp conversations and identified their location.
In a 2015 incident, hackers used photos of female IDF soldiers to target officials with Poison Ivy trojan and breached Israeli military servers to steal sensitive information. According to Israeli cybersecurity specialists, an unknown Lebanon-based political/governmental group was behind the campaign.