Amidst the news that Chinese hackers have gained a foothold on the global telecommunications network, comes news that is familiar to many Android users: Android apps hiding spyware are being used to target individuals–this time in Israel. This espionage campaign was first reported by Bitdefender in August 2018. The researchers dubbed the spyware Triout. Following their investigation, they were able to discover that the spyware is capable of recording every phone call, log every SMS message, capture pictures and videos taken, and gather GPS location data. All of that information is routed to a command and control server. The only problem that the researchers faced was in homing in on the means of disseminating the malware.
That issue is addressed, albeit partially, in a report that Kaspersky released today. In their detailed analysis, the security company calls the hackers’ operation ViceLeaker(we’ll stick with Kaspersky’s apropos title). Kaspersky’s researchers expanded on Bitdefender’s overview of ViceLeaker by revealing that the attackers can upload, download, and delete files. They can also actively record audio, take pictures, make calls, and send text messages.
More importantly, the report reveals that attackers were able to backdoor some legitimate apps by dissembling them with Backsmali, injecting them with malicious code, and reassembling them with Smali. As a result of this finding, the researchers narrow the infection vector to “the spread of Trojanized applications directly to victims via Telegram and WhatsApp messengers.”
Speaking of messengers, the researchers discovered that code used to parse C&C server commands in the malware conveniently resembled code found in Conversations, an open source XMPP/Jabber client. The app itself is legitimate; it’s the modified version of the app that bears the fingerprints of the attackers. In order to backdoor the application, the attackers did things the old fashioned way: they simply copied the code into an IDE, added their code, and hit compile. That said, the researchers found nothing malicious in the app, leading them to believe that it was being used for internal communication. “All the detections of this backdoored app were geolocated in Iran,” the researchers added. It’s an interesting footnote, one that dangles implications, but the researchers don’t seem to know where the attack originates from.
The report also doesn’t elaborate on the amount or type of victims that this malware targets. Though, if you compare this operation to Operation Soft Cell, you can assume that the targets are of significant value. An important thing to note is the fact that there is more information in Kaspersky’s private report to its clients. At the moment, Kaspersky’s researchers are continuing their investigation.
The researchers’ findings highlight the importance from guarding against downloading apps from untrustworthy sources or third party applications.