Since 2018, a set of ostensibly harmless Android applications has been infecting Israeli consumers with spyware, and the campaign is still ongoing.
Researchers at Qihoo 360 uncovered the spyware-laden apps, which included Threema, Al-Aqsa Mosque, Al-Aqsa Radio, Jerusalem Guide, PDF reader, Wire, and other apps camouflaged as social apps.
The most often used application is a spoof of Threema, an end-to-end encrypted instant messaging app. According to the experts, the first vector for these applications is a Facebook post or WhatsApp message that redirects sufferers to a website that stores the APK and allows them to download it.
In other situations, the communications include a link to a reportedly vital secret PDF document on Google Drive. After then, the victim is asked to download an APK that appears to be the mobile version of Adobe Reader but is actually malware.
The researchers looked at several samples and discovered that the attackers employ various commodity malware, including SpyNote, WH-RAT, Mobihok, and 888RAT.
These are all commercial spyware programs that include a lot of features, such as:
- call recording
- file exfiltration
- real-time recording
- location tracking
- shell command execution
- photo and video capturing
- clipboard management
Metasploit and EsecretRAT were detected in the APKs in a smaller number of situations. In both cases, the actors had added their customized code to the open-source tools.
EsecretRAT is a unique spyware program based on ChatApp that can exfiltrate contact lists, SMS, IMEI, location information, IP address, and any photographs stored on the device.
Qihoo 360 thinks the attacks are being carried out by ‘APT-C-23,’ a Hamas-backed outfit that has been linked to previous Israel-targeting efforts.
They were exposed in October 2020 for deploying Android spyware disguised as Threema and Telegram targeting Israeli smartphones. They have previously used specialized spyware applications disguised as legitimate dating apps to lure Israeli soldiers.
The researchers observed that while the attribution for this three-year-old effort may be shaky, the similarities with past APT-C-23 activities are striking.
Suppose you obtained Threema, PDF reader, Telegram, Al-Aqsa Mosque, Al-Aqsa Radio, or Jerusalem Guide from a source other than the Google Play Store. In that case, you should uninstall the app right away and run an antivirus scan on your device.