A brief overview
A darknet and underground market researcher who goes under the name ‘Sh1ttyKids’ discovered a phishing page that impersonated ‘The Guardian SecureDrop’ site.
Sh1ttyKids notified The Guardian’s security team about the phishing site and the site has been taken offline. However, the phishing site has been taken offline by The Guardian’s security team or the attackers, remains unknown.
SecureDrop is a service that allows sources to submit anonymous confidential information to journalists. A unique codename is given to the sources who submit information to journalists. This codename can be used for private communications with the journalists.
Once the phishing page harvests a source's codename, attackers can use the codename to login to The Guardian's official SecureDrop site, impersonate the source, and steal the source’s information and communications.
The malicious Android app
The phishing page also promotes a malicious Android app that is capable of performing RAT-like behavior including monitoring a victim's activity, location, calls, texts, stealing data, and executing commands.
BleepingComputer examined the app and determined that the app will execute the commands received from its C&C server. These commands include actions to:
ESET malware researcher Lukas Stefanko examined the app and confirmed BleepingComputer’s findings.
Security researcher Robert Baptiste noted that the app would send the collected information back to a command & control server located at the IP address 213[.]188[.]152[.]96.