Spyware traced to a building belonging to Lebanese intelligence has managed to steal “hundreds of gigabytes” of data from thousands of people in more than 21 countries via numerous campaigns which started back in 2012. The types of stolen data included audio recordings, text messages, call records, documents, photos, contact information, secure messaging client content, account data and enterprise intellectual property.
The attackers, who have nation-state level APT capabilities, were dubbed Dark Caracal by the EFF and mobile security firm Lookout. The group has targeted governments, military, financial institutions, manufacturing companies and defense contractors. While there was an implant component for infected Windows, Mac and Linux desktops, the campaigns primarily were aimed at infecting Android devices through fake secure messaging apps such as Signal and WhatsApp.
The EFF and Lookout traced devices used for testing and operating by Dark Caracal back to a building belonging to the Lebanese General Security Directorate (GDGS), one of Lebanon’s intelligence agencies, in Beirut. “Based on the available evidence, it is likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal,” read the Dark Caracal Technical Report (pdf).
However, attribution is tricky as the malware is also being used by other groups which suggests Dark Caracal is more of an APT-for-hire, than a hacking group tied to a single nation state. When confronted by Reuters, the director general of GDGS said, “General Security does not have these type of capabilities. We wish we had these capabilities.”
The attackers sent spearphishing emails to people who are normally interesting to APT groups. The investigation led to data associated with military personnel, enterprises, medical professionals, activists, journalists, lawyers and education institutions. In some cases, instead of luring victims to a malicious site, the attackers had physical access to people’s phones to install the apps.
The actual malware being distributed by the trojanized secure messaging apps is called Pallas; victims were none the wiser as the app maintained full functionality while Dark Caracal exfiltrated victims’ sensitive data. Whether it was allowing the Android to take secretly take photos, silently record audio, obtain GPS location or harvest credentials, victims granted attackers the right to access the private data by granting permissions when they installed the app.
“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF Staff Technologist Cooper Quintin. “This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world.”
After the initial press release resulted in some confusion, the EFF had to clarify that neither Signal, nor WhatsApp were compromised. The infections were a result of trojanized versions of the Android apps which were downloaded from a fake version of an app store. If you downloaded your apps from Google Play, “then you are almost certainly in the clear.” Put another way, “if you downloaded your apps from the official app store, you can rest easy that this has likely not affected you.”
In a statement on the Lookout blog, the Google Android Security Team added, “Google has identified the apps associated with this actor, none of the apps were on the Google Play Store. Google Play Protect has been updated to protect user devices from these apps and is in the process of removing them from all affected devices.”
Android smartphones across the world have been infected, spanning over 21 countries in North America, Europe, the Middle East and Asia. The EFF notes, “People in the U.S., Canada, Germany, Lebanon, and France have been hit by Dark Caracal.”
Lookout and EFF released “more than 90 indicators of compromise (IOC) associated with Dark Caracal including 11 different Android malware IOCs; 26 desktop malware IOCs across Windows, Mac, and Linux; and 60 domain/IP based IOCs.” Those and many more in-depth details about Dark Caracal can be found in the technical report (pdf).