Surveillance Malware Apps Found in Google Play
Security specialists have discovered two separate occasions of hackers using Android apps to conduct highly targeted surveillance in the Middle East. Hackers pushing nation-state-style surveillance malware recently scored a major coup by getting three advanced malicious applications hosted in Google's official Play marketplace, researchers said.
The apps are built from two separate families of surveillance-focused malware, both targeting around a thousand unsuspecting users. The so-called ViperRAT malware was incorporated into two apps, and it has previously targeted members of the Israeli Defense Force. Another app takes two malware types, called Desert Scorpion and FrozenCell, to spy on targets in Palestine.
In the case of the ViperRAT apps, built with a focus on social networking and chat, the apps, once installed, would profile the device and try to download a second-stage surveillance component. That downloaded component gave an attacker "a considerable amount of control over a compromised device." The threat actor's motivations remain unclear.
The Desert Scorpion app also uses a second-stage payload that downloads malicious components when a user interacts with the app. That component gains almost unfettered access to the device -- and the ability to grab devices, metadata, track a user's locations, send messages, record surrounding audio, calls, and video -- all while running silently in the background.
An analysis of the Desert Scorpion app showed that its malicious functionality was not included in the app when submitted to Google Play, it was downloaded later when the user was interacting with the app.
In both cases, the actors behind the malicious apps used phishing schemes to trick targets into downloading the apps. But what makes the apps so effective is that they were downloadable from Android's official app store, Google Play, lending the apps a level of credibility.
With ViperRAT, the malicious functionality within one of the apps looks almost indistinguishable from other social networking apps and obfuscated from view during the app store approval process.
After Lookout reached out, Google removed the apps from the app store.
The existence of ViperRAT and Desert Scorpion on Google Play showcases that actors are continuing to 'tune' their malware to get past early stage detections and make it into first-party app stores.These techniques include not shipping the malicious functionality of an app until a second stage that is triggered by some behavior. Surveillanceware is able to hide its malicious functionality in the noise of social networking and chat apps because they request many of the same permissions.