February 16, 2017
According to Kaspersky Lab, starting in mid last year, over 100 Israeli servicemen were hit by an attack that exfiltrated data to the attackers’ command and control servers. Then, the devices were pushed Trojan updates allowing the hackers to extend their capabilities.
Experts believe the campaign is still ongoing and in its early stages, targeting Android devices. These smartphones or tablets, once compromised, are turned into spying devices that can make use of video and audio capabilities, as well as the SMS functions and location.
There are also social engineering techniques at play, leveraging social networks in order to make the soldiers share confidential information or download malicious apps.
According to Kaspersky, which has worked with the IDF C41 and IDF Information Security Department unit, the victims are Israeli servicemen of different ranks, most serving in the Gaza Strip.
How does it work?
The victims are lured via social networks to install a malicious application. Once the APK file was downloaded from the malicious address, the app needs to be installed manually. The app demands permission to delete and install packages, to write to external storage, as well as to access the Internet and to access the network state.
Depending on each device, the dropper relies on the configuration server to figure out which payload is best to download. The dropper also sends a list of installed apps on the device. Depending on what’s already there, one variant will pretend to be a YouTube layer, while others are chat apps, something we’ve noticed before with other types of malware.
One payload – “WhatsApp_Update” – is capable of executing manual commands triggered by the operator and scheduling tasks that collect information periodically from various sources.
“The payload uses the WebSocket protocol, which gives the attacker a real-time interface to send commands to the payload in a way that resembles ‘reverse shell.’ Some of the commands are not yet implemented (as shown in the table below),” reads the Kaspersky blog.
Attackers are then able to collect general information about the device, including the GPS location, which is particularly dangerous given the targets’ occupation. They can also open browsers and go to URLs of their choice, read and send SMS messages, or access contacts, eavesdrop at specific times, take pictures or screenshots and record video and audio. Unknowingly, these army men carry spy devices in their pockets.
The payload further runs a check on the phone every 30 seconds collecting data about the device, any newly received messages, browsing history, pictures taken, and so on.