Israeli soldiers tricked into installing malware by Hamas agents posing as women

IDF: Six social media accounts were redirecting soldiers to installing three malware-infected apps.

idf-collage.jpg

Image: IDF

Members of the Hamas Palestinian militant group have posed as young teenage girls to lure Israeli soldiers into installing malware-infected apps on their phones, a spokesperson for the Israeli Defence Force (IDF) said today.

Some soldiers fell for the scam, but IDF said they detected the infections, tracked down the malware, and then took down Hamas' hacking infrastructure.

IDF said Hamas operatives created Facebook, Instagram, and Telegram accounts and then approached IDF soldiers.

According to IDF spokesperson Brigadier General Hild Silberman, Hamas agents posed as new Israeli immigrants to excuse their lacking knowledge of the Hebrew language.

IDF investigators said they tracked accounts for six characters used in the recent social engineering campaign. The accounts were named Sarah Orlova, Maria Jacobova, Eden Ben Ezra, Noa Danon, Yael Azoulay, and Rebecca Aboxis, respectively.

Soldiers who engaged in conversations were eventually lured towards installing one of three chat apps, named Catch & See, Grixy, and Zatu, where the agents promised to share more photos.

catch-and-see.png

Image: IDF
grixy-app.png

Image: IDF
zatu.png

Image: IDF

Gen. Silberman said the apps would give the impression they can't run on soldiers' phones by showing a crash message. The apps would then delete their icons from the soldier's smartphone, tricking the user into thinking the app uninstalled itself.

However, the app would keep running in the background. The malicious apps would then exfiltrate photos, SMS messages, contacts, and more. The apps could also install other malware on the device, track the phone's geo-location in real-time, and even take screenshots via the phone's camera.

Israeli cyber-security firm Check Point attributed the recent malware strains to a group it's been tracking under the codename of APT-C-23, active since the summer of 2018.

Happened before

This is the second time that Hamas agents pull off a social media catfishing campaign in order to trick IDF soldiers into installing malware on their devices. They tried this tactic before in January 2017.

Hamas agents went bolder in their next campaign, in the summer of 2018, when they hid malware in dating and World Cup-themed Android apps that they managed to upload on the official Google Play Store [1, 2]. This campaign supposedly made hundreds of victims all over the world.

The tactic of using social media profiles of attractive young women in order to trick western military officials and soldiers into installing malware on their devices has also been used by Hezbollah (an Islamist political party and militant group based in Lebanon, which the US and fellow NATO countries have labeled as a terrorist organization).

In October 2018, Czech intelligence service shut down servers used by Hezbollah in one of these mobile hacking operations, however, they did not say who the campaign targeted, but only that it has been running for more than a year, since 2017.

It is generally considered an operation security (OpSec) failure to allow soldiers to use personal devices while deployed in the field. For example, the Pentagon instructed US troops deploying to the Middle East to leave personal devices at home.