A new malware espionage campaign infecting thousands of people in more than 20 countries has been uncovered.
Hundreds of gigabytes of data has been stolen, primarily through mobile devices compromised by fake secure messaging clients.
The Electronic Frontier Foundation (EFF) and mobile security company Lookout yesterday sounded the alarm about the malware campaign.
They warn that the trojanised apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally. However, the fake apps also allow the attackers to take photos, retrieve location information, capture audio, and more.
The threat, called Dark Caracal by EFF and Lookout researchers, may be a nation-state actor and appears to employ shared infrastructure which has been linked to other nation-state actors.
In a new report, EFF and Lookout trace Dark Caracal to a building belonging to the Lebanese General Security Directorate in Beirut.
“People in the US, Canada, Germany, Lebanon, and France have been hit by Dark Caracal,” says Eva Galperin, director of cybersecurity at EFF. “Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos.
“This is a very large, global campaign, focused on mobile devices,” she adds. “Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”
Mike Murray, vice-president: security intelligence at Lookout, comments: “Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform.
“The Android threat we identified, as used by Dark Caracal, is one of the first globally active mobile APTs we have spoken publicly about.”
Dark Caracal has been operating since at least 2012. However, one reason it has been hard to track is the diversity of seemingly unrelated espionage campaigns originating from the same domain names.
The researchers believe that Dark Caracal is only one of a number of different global attackers using this infrastructure. Over the years, Dark Caracal’s work has been repeatedly misattributed to other cybercrime groups.
In fact, EFF’s Operation Manul report from 2016 misidentified espionage from these servers as coming from the Indian security company Appin.
“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit,” says EFF staff technologist Cooper Quintin. “Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware.
“This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world.”