Heimdal
article featured image

Contents:

As of 2018, a group of supposedly harmless Android applications has been infecting Israeli users with spyware, and the operation is still ongoing.

According to BleepingComputer, security specialists at Qihoo 360 noticed spyware-laden applications posing as social apps such as Threema, Al-Aqsa Radio, Al-Aqsa Mosque, Jerusalem Guide, PDF viewer, and Wire.

Apparently, the most exploited application is one masquerading as Threema, an open-source end-to-end encrypted instant messaging application for iOS and Android.

The initial vector for these apps, according to experts, is a WhatsApp text or Facebook post that redirects targets to a web page that hosts the APK and allows them to download it.

As shown below, in some situations, the messages included a link to a reportedly vital confidential PDF document on Google Drive.

Source

The victim is then persuaded to download and install an APK that appears to be the mobile version of Adobe Reader but is in fact spyware.

Following the examination of several samples, the specialists discovered that the threat actors use a variety of commodity malware for these attacks, including SpyNote, Mobihok, WH-RAT, and 888RAT.

Source

As explained by BleepingComputer, all of these are profit-oriented spyware with strong usefulness, including file exfiltration, call recording, location tracking, keylogging, photo, and video capturing, real-time recording, clipboard management, phishing, and shell command execution.

Other powerful tools such as Metasploit and EsecretRAT were also discovered in APKs. The attackers had added custom code on top of the open-source tools on both instances.

EsecretRAT is a new spyware tool based on ChatApp that can exfiltrate contact information, text messages, IMEI, physical address, IP address, and all images saved on the device.

Who Is Behind the Attacks?

Security specialists at Qihoo 360 think the attacks are the work of a Hamas-backed group that has been allegedly associated with previous Israel-targeting operations.

Users who downloaded Threema, Telegram, PDF viewer, Al-Aqsa Radio, Al-Aqsa Mosque, and Jerusalem Guide from sources other than the Google Play Store are recommended to delete the app as quickly as possible and scan their devices with an antivirus program.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo