Fake digital thermometer among trove of malicious apps

UPDATED Coronavirus-related lures are being deployed in malicious Android apps in an evolution of a long-running campaign linked to hacktivists that support the current Syrian regime, security researchers warn.

The campaign is likely directed at Syrian citizens amid the country’s ongoing civil war, as well as Arabic-speaking users in the surrounding region, according to Kristin Del Rosso, senior security intelligence engineer at Lookout, in a post on the mobile security specialist’s blog.

Telltale package names include ‘com.syria.tel’, ‘syria.tel.ctu’, and ‘com.syriatel.ctu’.

Lookout researchers tied 71 malicious applications to the campaign, which dates back to January 2018.

Unavailable on the official Google Play Store, the rogue apps “were likely distributed through actor-operated watering holes or third-party app stores”, Del Rosso speculated. She told The Daily Swig that “it is also possible targets could be lured by links sent via SMS.”

Impersonated applications included a phone signal booster, an Office suite application, and an end-to-end encrypted messaging application, with titles including ‘Covid19’, ‘Telegram Covid_19’, and ‘Android Telegram’.

Syrian connections

The campaign’s IP addresses were associated with the Tarassul ISP, whose owner, the Syrian Telecommunications Establishment (STE), has reportedly hosted infrastructure linked to Android malware family SilverHawk and Syrian state-sponsored hacktivists the Syrian Electronic Army.

The group recently claimed responsibility for cyber-attacks against Belgian media, PayPal, and eBay.

Del Rosso cited a 2018 report (PDF) by Freedom House that showed how the Syrian regime’s primary spying target was its own citizens.

The human rights advocacy group said that the STE “served as both an ISP and the telecommunications regulator, providing the government with tight control over the internet Infrastructure”.

The vast majority of malicious apps discovered by researchers – 64 of 71 – included variants of SpyNote, a remote administration tool (RAT).

SpyNote surfaced the term ‘Allosh’, which recurred in previous Syrian Electronic Army activities, in the res/values/strings.xml within 22 Android Application Packages (APKs).

“Based on past activity from this suspected actor, and the typical modus operandi of nation-state attacks, it is plausible that the goal is to spy on Syrian political activists,” said Del Rosso, though she stressed that “Lookout has no evidence indicating who is being targeted by the current campaign.

“Past targeting from the Syrian Electronic Army has included spying on journalists, political dissidents, and healthcare workers.”

AndoServer

Another malware strain deployed as part of the campaign is yet to surface on darknet markets or public forums, observed Del Rosso.

The so-called ‘AndoServer’ malware can take screenshots, track a device’s location, access cameras and record audio, exfiltrate call logs and SMS messages, and call phone numbers or send SMS messages, among other functions.

The malware was smuggled onto victims’ mobile devices via a fake digital thermometer app, while other samples were bundled with legitimate applications, and some were simply undisguised spyware.

The campaign also uses SLRat malware, a RAT that surfaced in May 2016, and SandroRat, which emerged back in 2013.

The research follows Lookout’s analysis of another spyware campaign targeting Libya with Coronavirus-related lures.


This article was updated on April 17 with comment from Lookout's Kristin Del Rosso.


RECOMMENDED Safari vulnerabilities created means for attackers to covertly access iPhone cameras