Cybercriminals Target The Guardian With a Fake SecureDrop Site

• The phishing page harvests the unique ‘codenames’ given for sources who submit information using the SecureDrop service.
• This phishing page also promotes a malicious Android app that performs various malicious activities on a victim's device.

A brief overview

A darknet and underground market researcher who goes under the name ‘Sh1ttyKids’ discovered a phishing page that impersonated ‘The Guardian SecureDrop’ site.

• The phishing page harvests the unique ‘codenames’ given for sources who submit information using the SecureDrop service.
• This phishing page also promotes a malicious Android app that performs various malicious activities on a victim's device.

Sh1ttyKids notified The Guardian’s security team about the phishing site and the site has been taken offline. However, the phishing site has been taken offline by The Guardian’s security team or the attackers, remains unknown.

The backdrop

SecureDrop is a service that allows sources to submit anonymous confidential information to journalists. A unique codename is given to the sources who submit information to journalists. This codename can be used for private communications with the journalists.

Once the phishing page harvests a source's codename, attackers can use the codename to login to The Guardian's official SecureDrop site, impersonate the source, and steal the source’s information and communications.

The malicious Android app

The phishing page also promotes a malicious Android app that is capable of performing RAT-like behavior including monitoring a victim's activity, location, calls, texts, stealing data, and executing commands.

BleepingComputer examined the app and determined that the app will execute the commands received from its C&C server. These commands include actions to:

• Create system alerts
• Block the device screen from auto-locking
• Make phone calls, send SMS texts, and record voice calls
• Read contacts and SMS texts
• Access a user's location
• Read and write the call log
• Access the device's storage and camera
• Change WiFi state and scan for available networks
• Access the clipboard
• Take pictures
• Get a list of installed apps
• Upload, download, and delete files

ESET malware researcher Lukas Stefanko examined the app and confirmed BleepingComputer’s findings.

Security researcher Robert Baptiste noted that the app would send the collected information back to a command & control server located at the IP address 213[.]188[.]152[.]96.