Israeli Users Targeted by Android Spyware Apps Since 2018
The Hamas-backed Group is Believed to Be Responsible for the Attacks.
As of 2018, a group of supposedly harmless Android applications has been infecting Israeli users with spyware, and the operation is still ongoing.
According to BleepingComputer, security specialists at Qihoo 360 noticed spyware-laden applications posing as social apps such as Threema, Al-Aqsa Radio, Al-Aqsa Mosque, Jerusalem Guide, PDF viewer, and Wire.
Apparently, the most exploited application is one masquerading as Threema, an open-source end-to-end encrypted instant messaging application for iOS and Android.
The initial vector for these apps, according to experts, is a WhatsApp text or Facebook post that redirects targets to a web page that hosts the APK and allows them to download it.
As shown below, in some situations, the messages included a link to a reportedly vital confidential PDF document on Google Drive.
The victim is then persuaded to download and install an APK that appears to be the mobile version of Adobe Reader but is in fact spyware.
Following the examination of several samples, the specialists discovered that the threat actors use a variety of commodity malware for these attacks, including SpyNote, Mobihok, WH-RAT, and 888RAT.
As explained by BleepingComputer, all of these are profit-oriented spyware with strong usefulness, including file exfiltration, call recording, location tracking, keylogging, photo, and video capturing, real-time recording, clipboard management, phishing, and shell command execution.
Other powerful tools such as Metasploit and EsecretRAT were also discovered in APKs. The attackers had added custom code on top of the open-source tools on both instances.
EsecretRAT is a new spyware tool based on ChatApp that can exfiltrate contact information, text messages, IMEI, physical address, IP address, and all images saved on the device.
Who Is Behind the Attacks?
Security specialists at Qihoo 360 think the attacks are the work of a Hamas-backed group that has been allegedly associated with previous Israel-targeting operations.
Users who downloaded Threema, Telegram, PDF viewer, Al-Aqsa Radio, Al-Aqsa Mosque, and Jerusalem Guide from sources other than the Google Play Store are recommended to delete the app as quickly as possible and scan their devices with an antivirus program.