Fake Android Apps Used for Targeted Surveillance Found in Google Play
Security researchers recently discovered fake Android apps on Google Play store that are used for targeted surveillance particularly in the Middle East.
The apps were downloaded from the Android’s app store and needed a second-stage component that was immediately downloaded following the installation of the apps.
The apps are thought to be created by surveillance-focused malware families and have targeted more than a thousand users who are unaware of the malware. The ViperRAT malware was included in two apps and is known to specifically targeting Israeli Defense Force members while another app that incorporates two types of malware dubbed as the Desert Scorpion and the FrozenCell are used to spying on Palestine targets.
A recent report published by the Lookout cyber security firm states that all the three apps are connected to mobile focused advanced persistent threats. The ViperRAT profiles the mobile devices to download surveillance components and gives considerable access to the attackers while the Desert Scorpion uses a second-stage component and gains almost uninterrupted access to the hacker to track the user’s location, recording audio and video calls and send messages all while working silently in the background.
According to Lookout, the main culprit behind the malware attack is a threat group called as APT-C-23. Similarities between the malwares also indicate that they might be coming from the same malware developers. APT-C-23 was thought to be active some time back in 2015 and the authorities didn’t see them as a real threat until the recent malware attacks. They are considered as very active hackers and are suspected to be linked to Hamas as their previous targets included members of the Fatah – the Palestinian political party.
In all the recent cases of the malware attacks, the makers of the malicious apps are said to use phishing schemes to trick the targets into downloading the apps. The users also seem to be unaware of the fact that they are indeed malicious as they are available on Google Play store giving them a kind of credibility as most of the suspicious apps finding it hard getting behind the protective firewall of the Google app store.
Immediately after Lookout notified, Google removed the apps from the store and even updated its Play Protect to make sure that the users are secure from the malware. Google added that the maliciousness of the apps was not distinguished from other social networking apps leading to the approval by App Store.