Illegal surveillance by means of Android malware has been a major issue for a while now. Hackers are now resorting to Android malware to spy over Israeli military, remotely filtrate data and monitor activities.
Cybersecurity researchers at Lookout and Kaspersky Lab have been monitoring the malware, dubbed as ViperRAT. Although the campaign is still in its early stages, with an unidentified group behind it, it has already infected nearly 100 Israeli servicemen.
ViperRAT is designed to collect all kinds of sensitive information from infected devices. However, the main interest is in images and audio files, along with SMS messages, contact books, and device location.
Modus Operandi of the Campaign
According to the security firms, their approach is social engineering techniques. The soldiers were lured via Facebook Messenger and other social networks by hackers who posed as attractive women from various countries like Canada, Germany, and Switzerland.
Once the hacker builds up a rapport with the target soldiers, they are tricked into installing a trojanized version of two different, typically legitimate Android chat apps, SR Chat and YeeCall Pro, for easier communication.
The malware also has various other carriers like a billiards game, an Israeli Love Songs player, and a Move To iOS app. Being commonly available to Israeli citizens through the Play store, these apps have contributed to a large amount of infection. In fact, almost 9,000 files stolen from compromised Samsung, HTC, LG and Huawei devices belonging to over 100 Israeli soldiers.
The app is mainly a dropper and once installed, the app downloads a payload masquerading as a WhatsApp update. This maneuver allows them to trick users into providing sensitive permissions.
With privileges granted, ViperRAT allows attackers to execute on-demand commands. Eventually, they gain control over the phone’s camera and microphone, among others. Using a WebSocket protocol, data like calls, live camera footage, geolocation, call log, personal photos, internet browsing, easily get compromised.
Hackers Behind the Attack
IDF, however, doesn’t seem to be the only target for this attack. Michael Flossman, security research services lead EMEA at Lookout, told ZDNet:
It has been used directly against IDF personnel, however there’s also a good indication that it has been deployed in other campaigns against other groups.
The group behind this attack is yet to be explicitly identified. However, activity patterns suggest that the cyber espionage is being carried out by a group operating out of the Middle East. According to Flossman,
They operate between Sunday and Thursday, so they have a work week that’s followed by several Middle Eastern countries.
The IDF is currently working together with both Lookout and Kaspersky to identify infected targets and protect against further attacks. Further research on the same campaign by Kaspersky Lab can be found here. Meanwhile, to prevent further breaches, users must avoid downloading applications from untrusted or third-party sources.