Security researchers have detailed a new cyberespionage campaign dubbed ZooParl that has been targeting Android users in the Middle East since at least June 2015. Kaspersky Lab researchers say the threat actors behind the operation have been using several generations of malware, the most recent of which was deployed in 2017.
According to researchers, the ZooPark malware initially began as a very basic malware, but has since evolved into a more complex spyware featuring several nefarious capabilities. The attackers leverage Telegram channels and compromised legitimate websites to distribute the espionage tools.
"The preferred infection vector for ZooPark is waterhole attacks," researchers said. "We found several news websites that have been hacked by the attackers to redirect visitors to a downloading site that serves malicious APKs. Some of the themes observed in campaign include 'Kurdistan referendum', 'TelegramGroups' and 'Alnaharegypt news', among others."
Based on its evolution, the malware can be classified into four different variants. The first version seen in 2015 was designed to steal only contacts and accounts. The second version released in 2016 was more advanced and capable of exfiltrating other details such as call logs, GPS location, SMS messages and device information. In 2016, it featured several notable similarities to the commercial spyware application Spymaster Pro and looked to steal call records, installed app data, browser data, and pictures from memory cards.
The latest version 4.0 received a major facelift and poses a serious threat as a malware. This version is capable of exfiltrating data such as keylogs, clipboard data, arbitrary data, data from default applications in the device, and target applications such as Telegram, WhatsApp, IMO and Chrome to steal databases and stored credentials.
Researchers have not attributed the campaign to any known threat actors yet.
Although the target profile of the campaign has shifted over the years, it has focused on victims in Egypt, Jordan, Lebanon, Morocco and Iran. Some possible high-profile targets include the United Nations Relief and Works Agency for Palestine Refugees in the Near East (UNRWA) in Amman, Jordan.
"From the technical point of view, the evolution of ZooPark has shown notable progress: from the very basic first and second versions, the commercial spyware fork in its third version and then to the complex spyware that is version 4. This last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware," researchers said.
"This suggests the latest version may have been bought from vendors of specialist surveillance tools. That wouldn’t be surprising, as the market for these espionage tools is growing, becoming popular among governments, with several known cases in the Middle East. Also, choosing mobile platforms for espionage campaigns is just a natural evolutionary step."