Fourth-generation Android espionage campaign targets Middle East

Smartphone snoopers install malware which can provide attackers with information on almost every activity performed on the device.
Written by Danny Palmer, Senior Writer

A newly uncovered form of sophisticated Android malware is being distributed via compromised websites and Telegram channels, apparently with cyber espionage in mind.

The malware has a wide range of abilities and is capable of snooping on any activity carried out on an infected smartphone and is said to bear the hallmarks of a state-backed campaign.

It can steal information about contacts, call logs, pictures, messages and browser data, as well as making audio records of calls made using the phone, and silently making calls and executing shell commands.

The malware contains a keylogging function which allows attackers to steal sensitive information such as usernames and passwords, as well as the ability to capture photos and screenshots.

Uncovered by researchers at security company Kaspersky Lab and dubbed ZooPark, it's thought the cyber espionage campaign has been ongoing since at least June 2015, with a focus on targets in the Middle East, including Egypt, Jordan and Lebanon.


How the malware has evolved.

Image: Kaspersky Lab

Despite the long-running nature of the campaign, there haven't been a wide number of infections, because targets appear to be specially selected and the operation behind the attacks can put the time and effort into conducting campaigns.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

"With our detection statistic, we observed less than 100 targets. This and other clues indicates that the targets are specifically selected," Alexey Firsh, security expert at Kaspersky Lab told ZDNet.

"This campaign is very targeted, which made the malware very challenging for researchers to discover," he added. "The group obviously has a large background in offensive security operations and a lot of resources."

Those behind the campaign have infected targets with several generations of malware over the years, with the fourth and latest version the most advanced version of the malicious payload.

In addition to being able to exfiltrate data from default applications on the device, the latest incarnation targets messaging applications such as Telegram, WhatsApp and the Chrome web browser with attacks which can steal internal databases. In the case of the web browser, this means any credentials stored in it would be stolen.

Earlier versions of ZooPark relied on distribution via Telegram channels. In addition to this, the attackers compromised legitimate websites in an effort to distribute the espionage tools.

See also: Cyberwar: A guide to the frightening future of online conflict

Kaspersky Lab haven't confirmed who is behind the campaign, other than that ZooPark shares the sophisticated hallmarks of a nation-state backed campaign - one which in this instance targets activisits, not another state.

"More and more people use their mobile devices as a primary - or sometimes even only - communication device. That is certainly being spotted by nation-state sponsored actors, who are building their toolsets so they will be efficient enough to track mobile users," said Firsh.

"The ZooPark APT, actively spying on targets in Middle Eastern countries, is one such example, but it is certainly not the only one."

There's no indication that this particular cyber espionage campaign has ceased operation.


Editorial standards