An aggressive malware campaign called Dark Caracal allegedly stole “hundreds of gigabytes of data” from thousands of military personnel, lawyers, activists, finance and medical professionals, and journalists across more than 21 countries, including the United States, Canada, Germany, France, Russia, and South Korea, according to a report published Thursday. Its success was predicated not on “zero-day” vulnerabilities or new forms of malicious software, but rather on older, known malware delivered via an all-too-familiar method: phishing.
The digital-rights group Electronic Frontier Foundation and Lookout Mobile Security, which co-authored the report, say they tracked the Dark Caracal phishing campaign across more than 60 websites. The hackers hid Trojan malware in legitimate-looking and functioning apps for devices running Google’s Android operating system, promoting their third-party app marketplace installation via links on Facebook and other social platforms. The malware included hacked versions of end-to-end encrypted communication apps Signal and WhatsApp.
While thousands of victims used the apps, which otherwise functioned as expected, the hackers were able to use the hidden malware to continuously steal personal data.
“If you had even a little mobile development experience, [Dark Caracal] could cost less than $1,000.”—Michael Flossman, senior security researcher, Lookout Mobile Security
Dark Caracal’s custom-developed mobile spyware, which the report’s authors call Pallas, is the first documented global advanced persistent threat, or APT, on a mobile device. The campaign behind the attacks, which has apparently been active since 2012, is hosted in a Beirut building belonging to the Lebanese General Security Directorate, says report co-author Michael Flossman, Lookout senior security researcher and the report’s lead malware analyst.
“We’re assuming that targets were socially engineered to have allowed installs from third parties,” Flossman says. Most Android devices ship to consumers with the option to install apps from marketplaces that aren’t Google Play-disabled. “So these installations wouldn’t be blocked. While some antivirus software [programs] focus on detecting known exploits, these apps were fully functional except for the Trojanized part.”
Responding to the report, Google’s Android Security Team said in a statement that none of the infected apps were available on the Google Play Store. “Google Play Protect has been updated to protect user devices from these apps and is in the process of removing them from all affected devices,” it said.
And in a statement to Reuters before the report’s publication, Lebanon refuted its conclusions.
“General Security does not have these type of capabilities. We wish we had these capabilities,” said Major General Abbas Ibrahim, director general of Lebanon’s General Directorate of General Security.
However, Citizen Lab identified in a 2015 report the GDGS as one of two Lebanese government organizations using FinFisher surveillance software. FinFisher, also known as FinSpy, was developed by a European surveillance company and marketed to governments and law enforcement agencies. It has since become a notorious tool for monitoring political dissidents. A FinFisher sample was detected on the same server as other Dark Caracal components, indicating its likely use as part of Dark Caracal, the report says.
As developers of legitimate software around the world rely more and more on components shared through the open-source supply chain, developers of malicious apps are also increasingly recycling older malware components. Through component reuse, nation-states like Lebanon, which previously didn’t have the resources to develop and launch sophisticated online attacks, can now much more affordably hack their way across the globe.
“If you had even a little mobile development experience, [Dark Caracal] could cost less than $1,000,” Flossman says. “If you already had software development experience and a sufficiently resourced actor, it would be trivial for this to exist.”
Flossman and his co-authors say there likely are more hackers than those involved in Dark Caracal using the attack infrastructure they discovered. Some of Dark Caracal’s tools, techniques, and procedures were also identified in a series of attacks against journalists, lawyers, and activists critical of the Kazakhstan government, according to an EFF report in August 2016.
And while Dark Caracal appears to focus predominantly on Android devices, the report also concludes that its hackers have used Bandook RAT, a previously known Windows malware program, to develop desktop malware for the Windows, Mac, and Linux operating systems they call CrossRAT.
Fortunately, says the EFF’s director of cybersecurity and Dark Caracal report co-author Eva Galperin, avoiding Dark Caracal isn’t difficult when practicing good security hygiene. She recommends staying away from third-party Android app stores, as well as avoiding handing over your phone to anybody—even friends.
“One of the ways this malware was spread was through fake Google Play apps stores. Most consumers should use the Google Play Store, unless Google spying on them is a risk,” she says. “These attacks were unsophisticated, but clearly, ‘unsophisticated’ works.”