For many months now, an unknown threat actor has been tricking servicemen in the Israel Defense Forces (IDF) into installing Android spyware. Israeli media says that the threat actor is likely Hamas, but Lookout researchers aren’t so sure.
“ViperRAT [as the researchers dubbed the malware] has been operational for quite some time, with what appears to be a test application that surfaced in late 2015. Many of the default strings in this application are in Arabic, including the name. It is unclear whether this means early samples were targeting Arabic speakers or if the developers behind it are fluent in Arabic,” they researchers noted, but pointed out that “Hamas is not widely known for having a sophisticated mobile capability.”
The malware comes in two forms:
- A first-stage app that functions as a low-level device profiler and a downloader for the
- Second-stage app – spyware that is able to extract contact information, images, SMSes, call logs, audio files, device network and device handset metadata, geolocation information, browser search history and bookmars, record video and audio, and take screenshots.
ViperRAT samples can communicate with command and control servers through an exposed API as well as websockets.
“The [second-stage app] uses the WebSocket protocol, which gives the attacker a real-time interface to send commands to [it] in a way that resembles ‘reverse shell’,” Kaspersky Lab researchers explained. Effectively, the malware provides the operator with dangerous RAT capabilities.
Malware distribution method used
The threat actor is using clever social engineering tactics to infect targets’ Android phones.
It all starts with the servicemen getting contacted via social media and messaging apps by what they believe to be good-looking women from countries such as Canada and Germany.
After an initial “getting to know you” stage, the attackers start flirting with the targets, and push them to install an additional app for easier communication.
“Specifically, Lookout determined these were trojanized versions of the apps SR Chat and YeeCall Pro,” the researchers noted. But they’ve also uncovered ViperRAT in a billiards game, an Israeli Love Songs player, and a Move To iOS app.
These apps ask for the following permissions:
This dropper lists the apps installed on the device, and sends that list to the C&C server. The C&C server then sends the second-stage malware masquerading as an update for an app that the target already uses (Viber, WhatsApp) or a generic system update. Thus, for the second time, the target is tricked into installing the malware himself.
According to Kaspersky Lab’s findings, the threat actor continues with this malware delivery campaign to this day.
“IDF C4I & the IDF Information Security Department unit, with Kaspersky Lab researchers, have obtained a list of the victims; among them IDF servicemen of different ranks, most of them serving around the Gaza strip,” they noted.