A seemingly harmless set of Android apps have been infecting Israeli users with spyware since 2018, and the campaign continues to this day.
The spyware laden apps were discovered by Qihoo 360 researchers who found various apps disguised as social apps, Threema, Al-Aqsa Radio, Al-Aqsa Mosque, Jerusalem Guide, PDF viewer, Wire and other apps.
The most abused app is the one masquerading as Threema, an end-to-end encrypted instant messaging app.
Researchers believe that the initial vector for these apps is a Facebook post or WhatsApp message that directs victims to a website that hosts the APK and offers it for download.
In some cases, the messages contain a Google Drive link to a supposedly important classified PDF document.
The target is then prompted to download an APK that claims to be the mobile version of Adobe Reader, but is actually spyware.
Vast array of spyware
Researchers analyzed various samples and found that attackers use a wide variety of basic malware for these attacks, including SpyNote, Mobihok, WH-RAT, and 888RAT.
These are all commercial spyware with powerful features including:
- file exfiltration
- call recording
- location tracking
- keystroke recording
- photo and video capture
- real time recording
- clipboard management
- execution of the shell command
In fewer cases, Metasploit and EsecretRAT were found in APKs. In both cases, the players had implemented additional custom code in addition to the open source tools.
EsecretRAT is based on ChatApp and is a new spyware tool capable of exfiltrating contact lists, SMS, IMEI, location information, IP address and all photos stored in the device.
Hamas hacker signs
Qihoo 360 believes that ‘APT-C-23’, a Hamas-backed group, is behind the attacks and has been repeatedly linked to previous campaigns targeting Israel.
In October 2020, they were discovered to have used Android spyware disguised as Threema and Telegram against devices in Israel.
A few months earlier, they baited the Israeli soldiers with custom spyware apps designed to appear as legitimate dating apps.
For this campaign, which has been running for three years, the researchers note that attribution may be slim, but the similarities to previous APT-C-23 campaigns are strong.
If you downloaded Threema, Telegram, PDF viewer, Al-Aqsa Radio, Al-Aqsa Mosque, and Jerusalem Guide from a site other than Google Play Store, you are advised to remove the app immediately and scan your device with an antivirus. program.