Mobile Surveillance Malware Found on Google Play

Researchers have found sophisticated Android mobile surveillance programs created by cyberespionage groups on Google’s official Play store. Such malware is generally distributed in targeted attacks by tricking victims into downloading and installing trojanized apps from third-party sources, but the ability of attackers to host them on Google Play makes them much more dangerous.

Multiple malicious apps that masqueraded as chat applications were found to serve as first-stage droppers for two Android surveillanceware families known as Desert Scorpion and ViperRAT. The apps were removed by Google after the company was alerted by researchers from mobile security firm Lookout.

The groups behind the two malware families managed to bypass Google Play’s defenses, which are usually pretty good, by bundling most of the malicious functionality into second-stage components downloaded only after victims installed the rogue apps and interacted with them.

One of the applications masqueraded as a chat app called Dardesh and downloaded surveillance malware known as Desert Scorpion. The spying functionality contained in the second-stage component was extensive and included recording calls, video and surrounding audio; stealing documents and other files from storage; reading and sending text messages; stealing contacts and local account information such as email addresses; and tracking device location.

The Lookout researchers found that links to the rogue Dardesh application on Google Play were advertised by a Facebook account that in the past also distributed links to another Android family of surveillance malware known FrozenCell. This older threat is attributed to a threat actor tracked as APT-C-23, which is known for targeting individuals in the Middle East, especially Palestine.

“The Lookout Threat Intelligence team is increasingly seeing the same tradecraft, tactics, and procedures that APT-C-23 favors being used by other actors,” the Lookout researchers said in a blog post. “The approach of separating malicious functionality out into separate stages that are later downloaded during execution and not present in the initial app published to the Google Play Store, combined with social engineering delivered via social media platforms like Facebook, requires minimal investment in comparison to premium tooling like Pegasus or FinFisher.”

A separate group was responsible for two other rogue chat apps found recently on Google Play that were infected with a mobile advanced persistent threat called ViperRAT. One of those apps was called VokaChat and was downloaded by 500 to 1,000 users, and the other was called Chattak and had between 50 and 100 downloads.

The ViperRAT malware family was discovered in 2017 when it was used to infect the mobile devices of members of the Israeli Defense Force (IDF), Israel’s military. At the time, the victims were tricked to install the app through third-party links spammed by attackers posing as attractive young women.

There’s no evidence to suggest that the new campaign using Google Play-hosted apps was also directed at IDF members. In fact, there are some hints that it targeted users from Saudi Arabia.

“Independent of the target or motive of the attackers, ViperRAT in Google Play demonstrates the increasing sophistication of mobile threats,” the Lookout researchers said in a blog post. “A malicious app that can be downloaded from the Google Play store is extremely dangerous, as users will not think twice about downloading it because of their trust in Google.”

Despite recent research showing that a large number of Android devices miss patches for critical and high-risk vulnerabilities, the exploitation of technical vulnerabilities remains a difficult task on the platform due to other OS defenses. That’s why the vast majority of Android malware campaigns rely on social engineering and why the most common security advice directed at users is to only download apps from the official Google Play.

If attackers increasingly gain the capability to bypass Google’s anti-malware scans on the app store to upload sophisticated and hard-to-detect trojans it will be much harder for consumers and companies to protect their devices.

Featured eBook
The Complete Guide on Open Source Security

The Complete Guide on Open Source Security

This joint report by Microsoft and WhiteSource discusses the difference in finding & fixing vulnerabilities in open source components opposed to proprietary code, how to grasp the unique challenges of open source security and how to tackle them, as well as how to master the best practices of managing your open source security risks. This ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 183 posts and counting.See all posts by lucian-constantin