Researchers at Qihoo 360 uncovered the spyware-laden apps, which included Threema, Al-Aqsa Radio, Al-Aqsa Mosque, Jerusalem Guide, PDF viewer, Wire, and other apps disguised as social apps.
The most commonly used app is a spoof of Threema, an end-to-end encrypted instant messaging software. According to the experts, the first vector for these apps is a Facebook post or WhatsApp message that directs victims to a website that stores the APK and allows them to download it.
In some situations, the communications include a link to a reportedly vital secret PDF document on Google Drive. After then, the target is asked to download an APK that appears to be the mobile version of Adobe Reader but is actually spyware.
A large spyware Collection
The researchers looked at a variety of samples and discovered that the attackers use a variety of commodity malware, including SpyNote, Mobihok, WH-RAT, and 888RAT.
These are all commercial spyware programs that have a lot of features, such as:
- File Exfiltration
- Call Recording
- Location Tracking
- Keylogging
- Photo And Video Capturing
- Real-Time Recording
- Clipboard Management
- Phishing
- Shell Command Execution
Metasploit and EsecretRAT were detected in the APKs in a smaller number of situations. On both occasions, the actors had added their own bespoke code to the open-source tools.
EsecretRAT is a unique spyware program based on ChatApp that can exfiltrate contact lists, SMS, IMEI, location information, IP address, and all photographs stored on the device.
Signs of Hamas Hackers
Qihoo 360 believes the assaults are being carried out by ‘APT-C-23,’ a Hamas-backed outfit that has been linked to previous Israel-targeting efforts. They were exposed in October 2020 for deploying Android spyware disguised as Threema and Telegram targeting Israeli smartphones.
They have previously used specialized spyware apps disguised as legitimate dating apps to lure Israeli soldiers. The researchers observed that while the attribution for this three-year-old effort may be shaky, the similarities with past APT-C-23 activities are striking.
If you obtained Threema, Telegram, PDF viewer, Al-Aqsa Radio, Al-Aqsa Mosque, or Jerusalem Guide from a source other than the Google Play Store, you should uninstall the app right away and run an antivirus scan on your device.
