BladeHawk attackers spy on Kurds with fake Android apps

Facebook is being abused to spread surveillanceware focused on the Kurdish ethnic group.

Fake Android apps are being deployed on the handsets of Kurds in a surveillance campaign promoted across social media.  

On Tuesday, researchers from ESET said an attack wave conducted by the BladeHawk hacking group is focused on targeting the Kurdish ethnic group through their Android handsets. 

Thought to have been active since at least March last year, the campaign is abusing Facebook and using the social media platform as a springboard for the distribution of fake mobile apps. 

The researchers have identified six Facebook profiles connected to BladeHawk at the time of writing, all of which have now been taken down. 

While they were active, these profiles posed as individuals in the technology space and as Kurd supporters in order to share links to the group's malicious apps. 

ESET says that at minimum, the apps -- hosted on third-party websites, rather than Google Play -- have been downloaded 1,481 times. 

BladeHawk's fake applications were promoted as news services for the Kurdish community. However, they are harboring 888 RAT and SpyNote, two Android-based Remote Access Trojans (RATs) which enable the attackers to spy on their victims. 

SpyNote was only found in one sample, and so it appears that 888 RAT is currently BladeHawk's main payload. The commercial Trojan, of which a cracked and free version has been made available online since 2019, is able to execute a total of 42 commands once executed on a target device and a connection to the attacker's command-and-control (C2) server is established. 

The Trojan's functions include taking screenshots and photos; exfiltrating files and sending them to a C2; deleting content, recording audio and monitoring phone calls; intercepting and either stealing or sending SMS messages; scanning contact lists; stealing GPS location data; and the exfiltration of credentials from Facebook, among other functions. 

The researchers say that the RAT may also be linked to two other campaigns: a surveillance campaign documented by Zscaler that spreads via a malicious and fake TikTok Pro app, and Kasablanca, threat actors tracked by Cisco Talos who also focus on cyberespionage. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0