The Mobile Malware Research Team of McAfee has discovered in recent weeks a number of new threats in the Middle East. In May, we uncovered a spying campaign targeting cybersecurity professionals in Saudi Arabia. This week, the team exposed a strain of spyware targeting another specific group of mobile users: individuals with possible sympathies toward terrorist organizations.
The actors behind this spyware use mainstream social media and public web services to distribute their malicious code to these audiences. Several Twitter accounts have been posting a direct link guiding users to download a malicious Android application masquerading as the legitimate radio player Al Rayan Radio. Users are promised and provided radicalized propaganda, but are secretly made susceptible to cyber surveillance through their mobile devices.
McAfee Labs has observed such attempted smartphone infections targeting users in the Middle East, Europe, and even North America, illustrating the broad following of such groups across continents.
The spyware used by this new campaign is a well-known commercial Android remote access tool detected by McAfee Mobile Security as Android/SandroRAT.C!Gen.
In this incarnation of the threat, a URL-shortening service obscures the tweeted link, hiding both the source of the file users are downloading as well as the fact that they are downloading a suspicious APK file.
Once the app is installed, the bogus radio player appears as the following icon:
The radio player performs its function without any characteristics that might arouse suspicion from users. However, once installed, the malicious services always run in the background, even if the user ceases to open and operate the app on a regular basis.
As it operates undetected, the spyware allows the attacker to intercept the victims smartphone communications, and spy on them through the camera and microphone. The attacker may also access user location, network connectivity information, read/write call history, read/write SMS, and even access SD memory to download or upload files in it.
If the device is rooted, Android/SandroRat.C!Gen can implement functions to leak encrypted WhatsApp data and even bypass Android sandboxing using privileged commands.
After examining the source of the malicious files, we found that the server used to store the malicious APK files were abusing the Weebly service with the accounts dawlatislambaqiya and goldenislamicstate, both of which have been suspended.
Script kiddies attacks
As in past mobile threat campaigns related to extremists in the Middle East, a common tactic used by malware authors is to rely on off-the-shelf packages or remote access tools to “weaponize” legitimate apps. The key for the authors is to find the right application and lure victims by social engineering.
At present, it is unclear who is behind the development and distribution of this spyware.
The actor could be associated with the terrorist group, perhaps intending to gather information on social media followers with the intention of monitoring, qualifying, and attempting to recruit them into their ranks.
The actor could be associated with an unknown government’s law enforcement or intelligence agencies. Such an entity might wish to monitor potential recruits subject to radicalization, but the use of a common, off-the-shelf spyware component for cyber surveillance probably suggests a less sophisticated state actor.
A third possibility is that the actor could be a rival extremist or vigilante group intending to gather intelligence on the terrorist group’s followers and potential recruits.
What we can conclude
In any case, the off-the-shelf nature of this new threat, using known components available on the Dark Web to anyone with a credit card, illustrates how easy it is for an individual or group, perhaps without strong programing skills, to craft and launch a spyware attack on a specific group of targets.
We can also confirm that such Trojanization efforts are very common. In 2013, the McAfee Mobile Security research team analyzed a Trojanized app that pretended to support online followers and supporters of a petition campaign advocating a woman’s right to drive an automobile. We can assume that any number of controversial movements (in their social and cultural context) might drive the development of similar bogus apps to follow communities deemed to be subversive.
Finally, the task of identifying these kinds of threats could remain very difficult for legitimate hosting and social media services, and such a threat could prove very successful if targeted users fail to install and update proper security protection in their devices. Such factors will always allow a high probability of success for attacks and campaigns, and a relatively fast lifecycle―from conception, to development, to execution, to end of life.
Please see the McAfee whitepaper Cybercrime Exposed: Cybercrime-as-a-Service for an analysis by McAfee Labs of the Dark Web marketplace for buyers and sellers of hacking skills for hire.