State-sponsored hackers turn to Android malware to spy on Israeli soldiers

News by Rene Millman

ViperRat discovered by researchers, designed to exfiltrate data from Israeli Defence Force via Android phones using honey traps.

A cyber-spying campaign targeting Android devices used by personnel within the Israeli Defence Force has been discovered by security researchers.

According to a blog post by Lookout and another by Kaspersky, more than 100 soldiers of the Israeli Defence Force (IDF) became victims when the Android devices were infected by malware, called ViperRat. This malware extracted audio and images from the devices as well as hijacking the device camera to take pictures.

Researchers at Kaspersky said that the spying campaign has been operational since July 2016 with attacks reported as recently as February this year. They said that this campaign is not only active but likely to increase.

The campaign relies heavily on social engineering techniques, using social networks to lure targeted soldiers into both sharing confidential information and downloading the malicious applications. So far the hackers have only targeted members of the IDF, most of them serving around the Gaza strip.

“We've seen a lot of the group's activity on Facebook Messenger. Most of the avatars (virtual participants in the social engineering stage) lure the victims using sexual innuendo, eg asking the victim to send explicit photos, and in return sending fake photos of teenage girls. The avatars pretend to be from different countries such as Canada, Germany, Switzerland and more,” said Ido Naor, researcher at Kaspersky Lab.

Once hackers have built up a relationship with the victim, they suggest installing other applications to communicate. These apps are installed from a malicious URL, the attacker expects the victim to install the package manually. 

This is the dropper that contains malware. It then requires the victim to enable several permissions to allow the hacker to carry out surveillance using the device.

The malware is disguised as a WhatsApp update; this allows hackers to execute commands such as collecting files or taking pictures to be uploaded to a C&C server. It can also collect device information, browse the web, send and receive messages and even eavesdrop on conversations. The malware can also be used to upload PDF and office documents.

According to Michael Flossman, security researcher at Lookout, the threat actors behind ViperRAT seem to be particularly interested in image data.

“We were able to identify that 8,929 files had been exfiltrated from compromised devices and that the overwhelming majority of these, 97 percent, were highly likely encrypted images taken using the device camera,” he said.

He said that reports on ViperRat have attributed it to Hamas, but Flossman added that  Hamas is “not widely known for having a sophisticated mobile capability, which makes it unlikely they are directly responsible for ViperRAT.”

“Many of the default strings in this application are in Arabic, including the name. It is unclear whether this means early samples were targeting Arabic speakers or if the developers behind it are fluent in Arabic. This leads us to believe this is another actor.”

Alex Mathews, lead security evangelist at Positive Technologies, told SC Media UK that attributing this particular campaign to a particular set of actors is hard, “the important thing here is that businesses learn from the attack and take steps to protect their assets”. 

“RATS themselves are nothing new, but the manner in which the two-stage payload is tailored by apps present on a device and delivered as an update, is a something which might dupe the average employee into installing something nasty,” he said.

Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that his thought would be a government agency behind the attack because of the sophistication of the malware.

“Considering the reported method of delivery from the Lookout report (there is evidence that the victims were approached through social networks, attackers impersonating young women – ‘honey trapping'), the method of operation matches more closely a fundamentalist organisation or militant group which are known to be versed and shameless in using honey trapping for recruitment and propaganda,” he said.

He said that surveillance was and always will be an important part of strategic warfare, knowing the intentions of your opponent and being able to anticipate them.

“Surveillance evolved but was ever present, whether it was in the form of phone taps and bugs, satellites or internet monitoring, up to the crowd-sourcing methods using APT malware. Big data, machine learning and cloud technologies are enabling this crowd-sourced model for surveillance,” he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews