Over the past six years, thousands of enterprises, educational institutions, medical professionals, activists, journalists, lawyers and military personnel from around the world have been spied on through their mobile devices by one or multiple groups that share the same malware toolset.
The attacks have been discovered by researchers from mobile security firm Lookout in collaboration with the Electronic Frontier Foundation (EFF), which in 2016 uncovered a related spying campaign dubbed Operation Manul that targeted journalists, activists and lawyers in Kazakhstan. A subsequent investigation into the infrastructure used by that operation uncovered a larger cyberespionage effort dubbed Dark Caracal that’s believed to be run from a building belonging to the Lebanese General Security Directorate (GDGS) in Beirut.
“The campaigns span across 21+ countries and thousands of victims,” Lookout’s Vice President for Security Intelligence Mike Murray said in a blog post. “Types of data stolen include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.”
Researchers have identified hundreds of gigabytes of data stolen from a large variety of victims in North America, Europe, the Middle East and Asia. In addition to activists, journalists and various professionals, the victims also included government agencies, militaries, utilities, financial institutions, manufacturing companies and defense contractors.
The group has access to malware tools for all major desktop platforms—Windows, Linux and macOS—some of which they’ve acquired from cybercriminal markets, but it’s also very focused on targeting mobile devices. In the past, the group has used FinFisher, a commercial mobile surveillance tool, but in recent years it has relied on a previously unknown mobile spyware component that researchers have dubbed Pallas.
What’s interesting is that there’s no evidence of Dark Caracal using zero-day exploits in its operations; the group primarily uses posts on Facebook groups and WhatsApp to target their victims. The goal of these messages was to drive users to so-called “watering hole” websites controlled by the attackers or to phishing pages designed to steal Google, Facebook and Twitter credentials.
The Pallas spyware is installed through trojanized, but functional, versions of popular messaging and privacy applications including WhatsApp, Signal, Telegram, Threema or Tor. The malicious apps were not hosted on Google Play, but Google is in the process of removing them from users’ devices using the Google Play Protect feature. This means victims were tricked into downloading and installing the apps manually on their devices.
Another interesting aspect is that Pallas only relied on the permissions given to the trojanized apps by users to steal information. There’s no evidence that root exploits were used to gain complete control over infected devices, which shows that mobile phones provide enough functionality out of the box that can be exploited for spying.
“This highlights that, in many cases, advanced exploitation capabilities like those shown by surveillance tools such as Pegasus for iOS and Chrysaor for Android (that targeted both Android and iOS devices), are not essential, but helpful when targeting certain platforms,” the Lookout researchers said in their report.
Pallas’ capabilities include taking photos with both the back and front-facing cameras, stealing text messages, extracting geographical coordinates from the phone’s GPS, capturing audio through the microphone, retrieving a victim’s contacts, obtaining information about nearby Wi-Fi access points, stealing chats and encryption keys from the trojanized messaging applications, obtaining device metadata, retrieving call logs and information about accounts, downloading and installing additional apps and harvesting credentials through phishing pop-ups.
The researchers have identified four different Dark Caracal “personas” that use the same tools, techniques and infrastructure, but have different targets, which suggests that multiple groups might be sharing the same cyberespionage platform.
“This is a very large, global campaign, focused on mobile devices,” said Eva Galperin, the EFF’s director of cybersecurity. “Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”
Earlier this week, researchers from antivirus vendor Kaspersky Lab also uncovered a sophisticated mobile spying campaign in Italy that used what the company believes is a professionally developed mobile surveillance tool.