Hackers have been found conducting highly targeted surveillance using a number of fake Android apps in Google's Play Store, security researchers have discovered. Researchers at security firm Lookout have discovered three malicious apps, two of which have incorporated the malicious ViperRat malware used by sophisticated threat actors to target the Israeli Defense Force (IDF). The third app incorporated two types of malware, namely Desert Scorpion and FrozenCell, to spy on targets in Palestine.
The ViperRAT-infected apps - VokaChat and Chattak - focused on social engineering, custom chat capabilities and reached out to targets via fake social media profiles of attractive young women. Both the apps garnered over 1000 downloads combined and came with fully implemented chat functionality that researchers noted was not present in earlier samples.
In 2017, ViperRAT was deployed to target and spy on the IDF with the attackers posing as young women to send a link to a target and prompting them to click on it and install the malicious app. The malware itself performed basic profiling of the infected device. In certain cases, the malware attempts to download a more sophisticated and comprehensive second stage component for "easier communication". This component gives the attacker significant control over the device.
ViperRAT is capable of exfiltrating a host of sensitive data including encrypted images taken using the device camera, audio recordings, stored images, contact information, device geolocation information, SMS content, call log and cell tower information, browser search history and bookmarks as well as device network and handset metadata.
"It's currently unclear whether this new variant is targeting its attacks to Saudi Arabia or the wider Middle East region," researchers said. "The actors behind this attack most likely moved to Google Play not because of their targets, but because it added credibility to their chat apps." For example, victims are no longer required to enable third-party installations which means the malware is now more sophisticated and difficult for users to suspect as malicious.
The third app running surveillanceware families Desert Scorpion and FrozenCell are believed to have been developed by a threat actor called APT-C-23 targeting victims in the Middle East, particularly those in Palestine.
Desert Scorpion and Frozen Cell are deployed via a long-running Facebook profile that promotes the malicious chat app Dardesh with links to Google Play. This profile has also posted Google Drive links to Android malware belonging to the Frozen Cell family. Frozen Cell and Desert Scorpion's C2 infrastructure reside in similar IP blocks, indicating that the same threat actor is likely behind the operation and development of both.
This malicious app uses a second-stage payload that can only be downloaded once the victim has installed and interacted with the first stage component. The second stage component comes with up to 22 surveillance functions including device tracking, stealth audio and call recording, retrieval of stored files, contact and account information, and exfiltration of device data to a C2 server among others.
Although these malicious apps are not the first to sneak into Google Play Store, their availability on Android's official app store give them dangerous credibility. Lookout researchers have notified Google of their findings and the apps have been removed.
"As we've seen with actors like Dark Caracal, this low cost, low sophistication approach that relies heavily upon social engineering has still been shown to be highly successful for those operating such campaigns," researchers said. "Even sophisticated actors are using lower cost, less technologically impressive means like phishing to spread their malware because it's cheap and very effective, especially on mobile devices where there are more ways to interact with a victim (messaging apps, social media apps, etc.), and less screen real estate for victims to identify potential indicators of a threat."