The apps are built from two separate families of surveillance-focused malware, both targeting around a thousand unsuspecting users. The so-called ViperRAT malware was incorporated into two apps, and it has previously targeted members of the Israeli Defense Force. Another app takes two malware types, called Desert Scorpion and FrozenCell, to spy on targets in Palestine.
All three apps are linked to mobile-focused advanced persistent threats, said a new report published Monday by cybersecurity firm Lookout.
In the case of the ViperRAT apps, built with a focus on social networking and chat, the apps, once installed, would profile the device and try to download a second-stage surveillance component. That downloaded component gave an attacker "a considerable amount of control over a compromised device." The threat actor's motivations remain unclear.
Lookout said there is "currently no evidence" the actor successfully deployed it against the Israeli Defense Force this time around, but did not name a new target.
Meanwhile, the Desert Scorpion app also uses a second-stage payload that downloads malicious components when a user interacts with the app. That component gains almost unfettered access to the device -- and the ability to grab devices, metadata, track a user's locations, send messages, record surrounding audio, calls, and video -- all while running silently in the background.
Lookout said an advanced persistent threat group, known as APT-C-23, is likely the suspect behind the malware. Not only that, similarities in the command and control infrastructures of Desert Scorpion and FrozenCell suggest the two malware families may indicate a common actor or developer.
Previously, it's been assumed APT-C-23 is a little-known advanced persistent threat actor dating back to 2015. The attackers are said to be "highly active" hackers, thought to be linked to Hamas, given that previous targets have included rival Palestinian political party Fatah.
In both cases, the actors behind the malicious apps used phishing schemes to trick targets into downloading the apps.
But what makes the apps so effective is that they were downloadable from Android's official app store, Google Play, lending the apps a level of credibility. That's because most rudimentary malware apps don't get installed without an Android users actively lowering their own security settings in order to install apps outside of the supposedly protective wall of Google's app store.
It's not unheard of for malware apps to sneak into the Android app store, but it is rare.