Hackers are using this Android malware to spy on Israeli soldiers

Social engineering employed to distribute ViperRAT malware which uses infected devices to take photos and record audio.
Written by Danny Palmer, Senior Writer

Hackers are carrying out surveillance on members of the Israeli military by hacking into their Android phones in order to monitor activity and steal data - potentially including photos and audio recordings - according to security companies.

Developed and deployed by currently by a so-far unidentified group, ViperRAT is designed to collect sensitive information from infected devices, with those behind the malware seemingly most interested in images and audio files, althoughalso keen on SMS messages, contact books and access to the device location.

Cybersecurity researchers at both Lookout and Kaspersky Lab have been monitoring the ViperRAT campaign, which is still in its early stages and still actively attempting to compromise Android devices.

Over 100 Israeli servicemen - using devices from Samsung, HTC, LG and Huawei - are thought to have been hit so far and almost 9,000 files stolen from compromised devices; but it's likely the IDF isn't the only target.

"It has been used directly against IDF personnel, however there's also a good indication that it has been deployed in other campaigns against other groups," Michael Flossman, security research services lead EMEA at Lookout, told ZDNet.

The attackers use social engineering in order to compromise the Android smartphones of IDF soldiers, with hackers posing as young women on social media in order to entice targets into exchanging messages using Facebook messenger.

Once the hacker builds up a rapport with the target, they suggest the installation of an additional application for easier communication, which they send for installation directly via a malicious URL. Attackers have also been seen spreading the malware using a dropper hidden in a billiards game, an Israeli love songs player, and another app.

It's this dropper which contains the malware, which in order to be installed, requires the victim to allow various permissions which will enable the attackers to carry out surveillance using the device.

Disguised in the system as an update for WhatsApp, this payload allows the attackers to execute on demand commands - enabling them to to take photos and record audio at will - and to schedule tasks allowing for the collection of stolen data on a command and control server.

Using a Websocket protocall, ViperRAT can collect information about the device, browse the web, send and receive messages, eavesdrop on conversations and perhaps most importantly for the perpetrators - take photos at any time.

The actors behind the attack can also issue commands to search for and steal PDF and Office documents and any sensitive information which they might contain, actions with could further compromise targets.

While the malicious actors behind ViperRAT have yet to be explicitly identified, their activity patterns suggest that the cyberespionage is being carried out by a group operating out of the Middle East.

"They operate between Sunday and Thursday, so they have a work week that's followed by several Middle Eastern countries," says Flossman, who explains how there's one simple way which users can avoid becoming a target of ViperRAT. "Ensuring you don't download applications from untrusted sources would be a good recommendation".

The IDF had not responded to a request for comment at the time of publication.


Editorial standards