Fake versions of popular encrypted messaging and privacy apps have been spotted circulating in the wild. The bogus versions of Whatsapp, Telegram, Signal, and PsiphonVPN, are believed to have been created by hackers allegedly working for the Lebanese government. The malevolent apps fool users into believing their messages are being encrypted. However, in reality, the Lebanese hackers exploit purposefully created backdoors and malware to snoop on user’s correspondences.
According to a report published by the mobile security company Lookout and the Electronic Frontier Foundation, the hackers have been linked to Lebanon’s central intelligence agency. The report reveals that victims in as many as 20 countries have likely downloaded the counterfeit versions of popular security apps.
Dangerous Trojans
Malicious apps can be made to appear almost identical to their legitimate counterparts. This gives users no real way of knowing that something untoward is occurring on their devices. On this occasion, victims downloaded the nefarious apps from unofficial online app stores. Once installed, rather than providing securely encrypted messages (protected with Open Whisper’s Signal protocol) - the app behaves like a Trojan.
Trojans are an extremely powerful kind of malware that allows hackers to take control of a device's features. This includes reading correspondences and SMS messages, accessing emails, turning on the microphone and camera, looking through contacts, turning on the GPS, and accessing photos and any other data contained on the hacked device.
The Lebanese Connection
The report published by Lookout is called "Dark Caracal: Cyber-Espionage at a Global Scale". According to cybersecurity researchers at Lookout, they have uncovered evidence that points to the involvement of a state actor. According to Lookout, that link was established due to the discovery of test devices inside the Lebanese General Directorate of General Security (GDGS) headquarters in Beirut:
"Devices for testing and operating the campaign were traced back to a building belonging to the Lebanese General Directorate of General Security (GDGS), one of Lebanon’s intelligence agencies. Based on the available evidence, it is likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal.”
The published documents reveal that the state-sponsored hackers have stolen both personally identifiable data and intellectual property from victims including "military personnel, enterprises, medical professionals, activists, journalists, lawyers, and educational institutions.”
Operation Manul
According to EFF, Dark Caracal may be related to a previously uncovered hacking campaign called Operation Manul. That campaign was discovered last year and was found to be targeting lawyers, journalists, activists, and dissidents from Kazakhstan who criticize the actions of President Nursultan Nazarbayev’s regime.
Unlike Operation Manul (PDF), however, Dark Caracal appears to have matured into an international hacking effort aimed at global targets. Mike Murray, Vice President of Security Intelligence at Lookout, commented:
"Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform.
"The Android threat we identified, as used by Dark Caracal, is one of the first globally active mobile APTs we have spoken publicly about.”
In fact, according to Lookout’s report, Dark Caracal has been active since way back in 2012. This means the Lebanese sponsored hackers have been growing in experience and expertise for quite some time. The report also makes it clear that Dark Caracal is still highly active and is unlikely to quit anytime soon.
As such, this hacking incident serves as a reminder that it is not just major state actors such as the US, UK, Russia, and China, that have global cyber warfare capabilities at their disposal.
Attack Vector
The work undertaken by researchers at Lookout reveals that victims are initially targeted with social engineering and phishing attacks. Successful spear phishing is used to deliver a malware payload called Pallas and a previously unseen modification of FinFisher. Dark Caracal’s phishing infrastructure includes fake portals for popular websites such as Facebook and Twitter.
Phishing techniques are used to direct victims to a "watering hole” server where infected versions of popular security and privacy apps are disseminated onto their devices. Fake Facebook profiles were also discovered helping to spread malicious links to infected versions of Whatsapp and other messengers.
Once infected with the trojanized app containing Pallas, hackers are able to deliver secondary payloads from a Command and Control (C&C) server. Among the infected apps uncovered by the researchers was a counterfeit version of PsiphonVPN and an infected version of Orbot: TOR proxy.
The researchers also found Pallas "lurking in several apps purporting to be Adobe Flash Player and Google Play Push for Android”.
Unsophisticated but Effective
At the end of the day, the techniques used by Dark Caracal are highly common and cannot be considered particularly sophisticated. Despite this, this hacking campaign serves as a stark reminder that in 2018 cyberwarfare is likely to be both highly prolific and a global threat. The tools to perform this type of hacking have cross-pollinated from one state actor to the next, and the frightening capabilities they grant hackers result in severe penetration that even two-factor authentication can't protect users against.
As is always the case, we recommend that you are very careful when opening messages. Social engineered phishing is designed to lure you in - so think twice before you click on a link. In addition, if you require an app, always be sure to go to an official app store as this will vastly reduce your chances of ending with an infected app. Finally, Virtual Private Network (VPN) users are also reminded to be extremely careful where they get their VPN software from, always ensuring to get it from a legitimate source.
Opinions are the writer's own.
Title image credit: Ink Drop/Shutterstock.com
Image credits: anastasiaromb/Shutterstock.com, wk1003mike/Shutterstock.com, smolaw/Shutterstock.com