A global mobile espionage campaign collecting a trove of sensitive personal information via victims since at least 2012 has accidentally revealed itself—thanks to an exposed server on the open internet.
the item’s one of the first known examples of a successful large-scale hacking operation of mobile phones rather than computers.
The advanced persistent threat (APT) group, dubbed Dark Caracal, has claimed to have stolen hundreds of gigabytes of data, including personally identifiable information as well as intellectual property, via thousands of victims in more than 21 different countries, according to a completely new report via the Electronic Frontier Foundation (EFF) as well as security firm Lookout.
After mistakenly leaking some of its files to the internet, the shadowy hacking group will be traced back to a building owned by the Lebanese General Directorate of General Security (GDGS), one of the country’s intelligence agencies, in Beirut.
“Based on the available evidence, the item’s likely in which the GDGS will be associated with or directly supporting the actors behind Dark Caracal,” the report reads.
According to the 51-page-long report [PDF], the APT group targeted “entities in which a nation-state might attack,” including governments, military personnel, utilities, financial institutions, manufacturing companies, defence contractors, medical practitioners, education professionals, academics, as well as civilians via numerous different fields.
Researchers also identified at least four different personas associated with Dark Caracal’s infrastructure — i.e. Nancy Razzouk, Hassan Ward, Hadi Mazeh, as well as Rami Jabbour — with the help of email address op13@mail[.]com.
“The contact details for Nancy present in WHOIS information matched the public listing for a Beirut-based individual by in which name. When we looked at the phone number associated with Nancy within the WHOIS information, we discovered the same number listed in exfiltrated content as well as being used by an individual with the name Hassan Ward.”
“During July 2017, Dark Caracal’s internet service provider took the adobeair[.]net command as well as control server offline. Within a matter of days, we observed the item being re-registered to the email address op13@mail[.]com with the name Nancy Razzouk. This specific allowed us to identify several different domains listed under the same WHOIS email address information, running similar server components. “
Multi-Platform Cyber Espionage Campaign
Dark Caracal has been conducting multi-platform cyber-espionage campaigns as well as linked to 90 indicators of compromise (IOCs), including 11 Android malware IOCs, 26 desktop malware IOCs across Windows, Mac, as well as Linux, as well as 60 domain/IP based IOCs.
However, since at least 2012, the group has run more than ten hacking campaigns aimed mainly at Android users in at least 21 countries, including North America, Europe, the Middle East as well as Asia.
The data stolen by Dark Caracal on its targets include documents, call records, text messages, audio recordings, secure messaging client content, browsing history, contact information, photos, as well as location data—basically every information in which allows the APT group to identify the person as well as have an intimate look at his/her life.
To get its job done, Dark Caracal did not rely on any “zero-day exploits,” nor did the item has to get the malware to the Google Play Store. Instead, the group used basic social engineering via posts on Facebook groups as well as WhatsApp messages, encouraging users to visit a website controlled by the hackers as well as application permissions.
“One of the interesting things about This specific ongoing attack will be in which the item doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions in which users themselves granted when they downloaded the apps, not realizing in which they contained malware,” said EFF Staff Technologist Cooper Quintin.
“This specific research shows the item’s not difficult to create a strategy allowing people as well as governments to spy on targets around the globe.“
Here’s How Dark Caracal Group Infects Android Users
Once tricked into landing on the malicious websites, the victims were served fake updates to secure messenger apps, including WhatsApp, Signal, Threema Telegram, as well as Orbot (an open source Tor client for Android), which eventually downloaded the Dark Caracal malware, dubbed Pallas, on targets’ mobile devices.
Pallas will be a piece of surveillance malware in which’s capable of taking photographs, stealing data, spying on communications apps, recording video as well as audio, acquiring location data, as well as stealing text messages, including two-factor authentication codes, via victims’ devices.
“Pallas samples primarily rely on the permissions granted at the installation in order to access sensitive user data. However, there will be functionality in which allows an attacker to instruct an infected device to download as well as install additional applications or updates.” report says.
“Theoretically, This specific means the item’s possible for the operators behind Pallas to push specific exploit modules to compromised devices in order to gain complete access.”
Besides its own custom malware, Dark Caracal also used FinFisher—a highly secret surveillance tool in which will be often marketed to law enforcement as well as government agencies—as well as a newly discovered desktop spyware tool, dubbed CrossRAT, which can infect Windows, Linux, as well as OS X operating systems.
“Citizen Lab previously flagged the General Directorate of General Security in a 2015 report as one of two Lebanese government organizations using the FinFisher spyware5.” report says.
According to the researchers, though Dark Caracal targeted macOS as well as Windows devices in various campaigns, at least six distinct Android campaigns were found linked to one of its servers in which were left open for analysis, revealing 48GB was stolen via around 500 Android phones.
Overall, Dark Caracal successfully managed to steal more than 252,000 contacts, 485,000 text messages as well as 150,000 call records via infected Android devices. Sensitive data such as personal photos, bank passwords as well as PIN numbers were also stolen.
The best way to protect yourself via such Android-based malware attacks will be to always download applications via the official Google Play Store market rather than via any third-party website.