Sophisticated APT surveillance malware comes to Google Play

Sophisticated APT surveillance malware comes to Google Play

April 16, 2018 0 By admin


Hackers pushing nation-state-style surveillance malware recently scored a major coup by getting three advanced malicious applications hosted in Google’s official Play marketplace, researchers said.

The mAPTs, short for mobile advanced persistent threats, likely came from two separate groups that both target people in the Middle East, Michael Flossman, head of threat intelligence at mobile security company Lookout, told Ars. The three apps combined received from about 650 to 1,250 downloads, according to Google Play figures. All three of them gave attackers considerable control over infected phones.

The apps—two from a family known as ViperRat and the third from the Desert Scorpion family—represent one of the few known times mAPTs have been found in the official Google market. The attackers’ success is largely the result of a modular design where malicious functionality isn’t part of the initial version first downloaded from the Play Store. Rather, the surveillance capabilities come in a second stage that’s downloaded later. Previously, both hacker groups relied largely on social engineering that tricked targets into downloading apps from third-party markets. The ability to get the apps hosted in Play is considered a win because it gives targets much more assurance the apps are legitimate.

“The existence of ViperRAT and Desert Scorpion on Google Play showcases that actors are continuing to ‘tune’ their malware to get past early stage detections and make it into first-party app stores,” Flossman wrote in an email. “These techniques include not shipping the malicious functionality of an app until a second stage that is triggered by some behavior. Surveillanceware is able to hide its malicious functionality in the noise of social networking and chat apps because they request many of the same permissions.”

For all your surveillance needs

Desert Scorpion was delivered in an app titled Dardesh, which was downloaded about 100 times. It offers a full set of surveillance capabilities including the ability to:

  • Upload attacker-specified files to command and control servers
  • Record surrounding audio, calls, and video
  • Retrieve account information such as e-mail addresses
  • Retrieve contacts
  • Remove copies of itself if any additional APKs are downloaded to external storage
  • Call an attacker-specified number
  • Uninstall apps
  • Hide its icon
  • Retrieve list of files on external storage
  • Encrypt some exfiltrated data
  • Obtain a list of installed applications
  • Get device metadata
  • Inspect itself to get a list of launchable activities
  • Retrieve PDF, txt, doc, xls, xlsx, ppt, pptx files found in external storage
  • Send SMS messages
  • Retrieve text messages
  • Track device location
  • Handle limited attacker commands via out of band text messages
  • Check if a device is rooted
  • If running on a Huawei device it will attempt to add itself to the protected list of apps able to run with the screen off

Lookout

Desert Scorpion has ties to another targeted surveillance-ware family dubbed Frozen Cell. Lookout researchers believe both families are developed, or at least operated, by a single group known as APT-C-23. Desert Scorpion is being used to target individuals in the Middle East, particularly those in the Palestine region.

Lookout observed Dardesh receiving two updates, the first on February 26 and the second on March 28. The second stage of Dardesh came in the form of generic settings application. It included the word “Fateh,” in what lookout believes is a reference to the Fatah Palestinian political party. Lookout’s blog post about Desert Scorpion is here.

The ViperRat malware was delivered through VokaChat and Chattak, which received from 500 to 1,000 downloads and 50 to 100 downloads respectively. An earlier ViperRat campaign targeted members of the Israeli Defense Force with apps posted in third-party markets. Attackers posing as attractive women would befriend individual targets and eventually try to trick them into downloading Trojanized chat apps. Unlike the chaps from earlier ViperRat campaigns, VokaChat and Chattak contained fully functional chat capabilities, a feature that made it less likely targets would suspect they had installed malware.

Lookout

Lookout

Chattak contained either a feature or a bug—Lookout isn’t sure which it is—that disclosed e-mail addresses and other details of some users with other users. Many of the e-mail addresses suggested targets had ties to Saudi Arabia, but Lookout isn’t sure if those addresses came from people who actually installed the malware.

The trio of apps signals a growing threat to Android users because of the trust many people place in the Google Play market.

“A malicious app that can be downloaded from the Google Play store is extremely dangerous, as users will not think twice about downloading it because of their trust in Google,” Flossman wrote in a Monday morning blog post detailing ViperRat. “This is alarming to us, because as attackers continually find new ways to add legitimacy to their malicious apps, their phishing attacks will become more successful.”



Source link