Mobile Surveillance Malware Found on Google Play

Researchers have found sophisticated Android mobile surveillance programs created by cyberespionage groups on Google’s official Play store. Such malware is generally distributed in targeted attacks by tricking victims into downloading and installing trojanized apps from third-party sources, but the ability of attackers to host them on Google Play makes them much more dangerous.

Multiple malicious apps that masqueraded as chat applications were found to serve as first-stage droppers for two Android surveillanceware families known as Desert Scorpion and ViperRAT. The apps were removed by Google after the company was alerted by researchers from mobile security firm Lookout.

The groups behind the two malware families managed to bypass Google Play’s defenses, which are usually pretty good, by bundling most of the malicious functionality into second-stage components downloaded only after victims installed the rogue apps and interacted with them.

One of the applications masqueraded as a chat app called Dardesh and downloaded surveillance malware known as Desert Scorpion. The spying functionality contained in the second-stage component was extensive and included recording calls, video and surrounding audio; stealing documents and other files from storage; reading and sending text messages; stealing contacts and local account information such as email addresses; and tracking device location.

The Lookout researchers found that links to the rogue Dardesh application on Google Play were advertised by a Facebook account that in the past also distributed links to another Android family of surveillance malware known FrozenCell. This older threat is attributed to a threat actor tracked as APT-C-23, which is known for targeting individuals in the Middle East, especially Palestine.

“The Lookout Threat Intelligence team is increasingly seeing the same tradecraft, tactics, and procedures that APT-C-23 favors being used by other actors,” the Lookout researchers said in a blog post. “The approach of separating malicious functionality out into separate stages that are later downloaded during execution and not present in the initial app published to the Google Play Store, combined with social engineering delivered via social media platforms like Facebook, requires minimal investment in comparison to premium tooling like Pegasus or FinFisher.”

A separate group was responsible for two other rogue chat apps found recently on Google Play that were infected with a mobile advanced persistent threat called ViperRAT. One of those apps was called VokaChat and was downloaded by 500 to 1,000 users, and the other was called Chattak and had between 50 and 100 downloads.

The ViperRAT malware family was discovered in 2017 when it was used to infect the mobile devices of members of the Israeli Defense Force (IDF), Israel’s military. At the time, the victims were tricked to install the app through third-party links spammed by attackers posing as attractive young women.

There’s no evidence to suggest that the new campaign using Google Play-hosted apps was also directed at IDF members. In fact, there are some hints that it targeted users from Saudi Arabia.

“Independent of the target or motive of the attackers, ViperRAT in Google Play demonstrates the increasing sophistication of mobile threats,” the Lookout researchers said in a blog post. “A malicious app that can be downloaded from the Google Play store is extremely dangerous, as users will not think twice about downloading it because of their trust in Google.”

Despite recent research showing that a large number of Android devices miss patches for critical and high-risk vulnerabilities, the exploitation of technical vulnerabilities remains a difficult task on the platform due to other OS defenses. That’s why the vast majority of Android malware campaigns rely on social engineering and why the most common security advice directed at users is to only download apps from the official Google Play.

If attackers increasingly gain the capability to bypass Google’s anti-malware scans on the app store to upload sophisticated and hard-to-detect trojans it will be much harder for consumers and companies to protect their devices.

Sponsored Content
Upcoming Webinar
Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

According to Gartner, the application layer contains 90% of all vulnerabilities. However, do security experts and developers know what’s happening underneath the application layer? Organizations are aware they cannot afford to let potential system flaws or weaknesses in applications be exploited, but knowing the distinctions between these weaknesses can make ... Read More
May 29, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 154 posts and counting.See all posts by lucian-constantin