• On top of having certain spyware features, malicious APK samples analyzed from this campaign also contained backdoor capabilities.
  • Some of the spyware features included exfiltrating call logs, SMS messages, browser history amongst others, from the affected devices.

A new malware campaign has been unearthed by security researchers at Kaspersky. In this campaign dubbed as “ViceLeaker”, attackers deploy a malicious payload in APK files pushed through messenger applications. According to the researchers, the payload is a spyware program created to extract all accessible information from infected devices. It is speculated that this ongoing campaign is targeted at Android users in the Middle East since the samples found were in Android devices of Israeli citizens.

Worth noting

  • On top of having spyware features such as exfiltrating call logs, SMS messages, etc., the samples also had backdoor capabilities.
  • Kaspersky’s researchers came across four ViceLeaker malware samples in the campaign. It was found that the attackers implemented Smali code injection technique to push the payloads.
  • The malware used HTTP for communicating with the C2 server for command handling and data exfiltration from infected devices.
  • The APKs containing the malware payload were spread to victims through messengers such as Telegram and WhatsApp.
  • Researchers also uncovered one sample which was a modification of a legitimate app called “Conversations” which is available on Play Store.

New tools for distribution

Kaspersky researchers hint that the attackers behind the ViceLeaker campaign plan to come up with new tools to disseminate the payload.

“The operation of ViceLeaker is still ongoing, as is our research. The attackers have taken down their communication channels and are probably looking for ways to assemble their tools in a different manner,” wrote the researchers. It is also believed that ViceLeaker creators are part of a worldwide web-oriented attack campaign.

Cyware Publisher