It may not be readily apparent to those in love with the products from the company from Cupertino in California – but the numbers don’t lie – studies by industry leading analysts have indicated that Android powered phone dominate around 87 percent of the market. Apple may be the darling of the smart set – but Google’s Android operating system rules the roost. But the custodians of Android and the Google Play Store need to keep their wits about them. It seems that the Android operating system is a ripe target for fake apps that are designed to make Android malware a reality – and that the operating system is a prime target for cyber espionage.
Fake apps used for cyber espionage
Working together with the mobile security firm Lookout, the Electronic Frontier Foundation (EFF), the digital rights group based in the United States, have uncovered the Android malware that used fake apps to obtain information from thousands of Android users in 21 countries. It is estimated that hundreds of gigabytes of data has been stolen from these users. The threat now dubbed ‘Dark Caracal’ allows users to download and install fake apps which are by and large extremely convincing ‘clones’ of popular messaging apps such as Whatsapp and Signal. They even operate without a hitch and supply all the functionality of the real versions but at the same time the infected devices allow attackers to access data such as text messages, images (and take photos as well), grab location information, as well as capture audio with potentially disastrous impacts on individual privacy.
According to EFF Director of Cybersecurity, Eva Galperin: “People in the U.S., Canada, Germany, Lebanon, and France have been hit by Dark Caracal. Targets include military personnel, political activists, journalists, and lawyers. This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”
Android malware – Is a nation state responsible?
The level of sophistication, the widespread geographical targeting and the nature of the data being gathered has led experts to conclude that Dark Caracal may be the work of a nation state with significant resources being brought to bear to ensure the success of the Android malware. In fact, both Lookout and EFF have traced the Android malware to the Middle East, a building belonging to the Lebanese General Security Directorate in Beirut – in other words, the Lebanese state spy agency. Once security researchers got access to one of the servers used by the group, the location data proved to be incontrovertible. The server contained a great deal of information, including WiFi network records that are used to track the location of targeted individuals who are using the malicious apps.
Not a new piece of Android malware
Research seems to suggest that the fake apps that are the hallmark of Dark Caracal are not new. A report by EFF seems to indicate that Dark Caracal has been around since 2012. But the sheer diversity of espionage activities that have their origins in the same domain names make it extremely challenging to identify exactly which global cybercrime and espionage organizations are responsible. In fact, a 2016 report mistakenly pointed the finger at Indian company Appin as the culprits behind the fake apps. The EFF report actually identified six separate cyber espionage campaigns all running in parallel and targeting diverse geographical areas such as Venezuela, Germany and Pakistan.
Users enable cyber espionage
The danger of the fake apps is that the attacks rely on the unwitting cooperation of the users who unknowingly download the Android malware from app stores onto their Android phone or tablet. This eliminates the need for sophisticated exploits – all Dark Caracal needs is permissions supplied by the users. In essence, the users are allowing state players and potentially other people and organizations to spy on them – with their permission.
Mike Murray, Vice President of Security Intelligence at Lookout commented that, “Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform.”
An ominous cyber espionage development
While Dark Caracal seems to have been the work of the Lebanese, the implications of the research sounded a note that should be disturbing for security experts and users of Android devices.
Michael Flossman, Lead of Security Research at Lookout suggested that “Attackers are increasingly going after mobile devices because of the access to both personal and corporate data these devices contain or can grant access to.”
Galperin is of the opinion that Dark Caracal is part of a new kind of spyware service – one that contracts jobs by the target rather than selling tools outright. The Dark Caracal attacks may be a single actor based in Lebanon taking on six jobs at once for a variety of buyers and selling to the highest bidder – a new way of doing business that shows the increasing speed at which the cyber espionage business model and the development of various types of spyware (including fake apps and Android malware) is evolving.