News

Dark Caracal: Government malware turns the smartphones into spy cams

Researchers claim thousands are affected as a Lebanon spy agency has been targeting people in more than 20 countries including the United States, since 2012.

Did you ever think of using smartphones as a spy cam to spy on someone else?

Lebanon government-backed intelligence agency has been doing precisely that since 2012. Yes, 2012.

A global spy agency based in Lebanon revealed itself a large scale state hacking, without knowing, thanks to one of the exposed server of suspected operation on the open internet.

Security researchers combinedly from cell phone security firm Lookout and the digital rights group EFF (Electronic Frontier Foundation) spotted the exposed server.

Researchers then found that the spying agency pulled out stolen data from the infected windows machines and Android devices; in hundreds of gigabytes.

 Since 2012, Dark Caracal – the secret operation – has successfully spied on thousands of people from 21 countries worldwide including the United States.

Dark Caracal malware turns smartphones in spy cams
You could end up taking your most dangerous selfie with this mass spying operation, unknowingly.

Most of the victims were activists, military personnel, lawyers, defense contractors, financial institutions, and journalists.

Reporting the findings on Thursday (18th January 2018), the researchers stated it is one of the biggest spying operation focused on mobile devices.

The cyber attacks seized control of the Android phones that allowed hackers to turn them into the victim monitoring devices, and ultimately, steal any data undetected.

No evidence found of hacking Apple users, yet again, hinting towards the popularity of Android within the Middle East.

The researchers claim that the state backs hackers.

Since they traced activities to a building that belongs to one of Lebanon’s  security agencies in Beirut.

More precisely, suspected Lebanon’s intelligence agency building behind the hackers is –  General Directorate of the General Security building.

Subsequently, attackers managed to get full control of the unwitting users’ devices using phishing attacks to trick them into downloading the fake versions of trusted encrypted messaging apps.

Facebook, Viber, Signal, and Whatsapp are those encrypted messaging platforms of which the hackers created fake login pages to lure victims.

In addition to the Android, the spying operation also has been using the Windows malware too.

The Windows version of the agency’s malicious program can take screenshots from the victim’s computers, steal sensitive business documents, and extract log files from the Skype.

Subsequently, no previously known Windows or Android vulnerability got exploited in this Malware.

How researchers managed to catch the spying agency?

Lead security researcher of the group, Michael Flossman, revealed to Reuters that Lookout and EFF were able to connect back to GDGS because of the failure of suspected cyber spying agency.

The group failed to secure their very own control servers and command, which created an opportunity for researchers to get to know what they are doing.

In a telephonic interview given to Reuters, Flossman said

“Looking at the servers, who had registered it when, in conjunction with being able to identify the stolen content of victims: That gave us a pretty good indication of how long they had been operating.”

Here is a turn in the tale!

Director general of the GDGS, Major General Abbas Ibrahim, said he wished to see the report before he commits on the contents of it.

He further added Lebanon general security doesn’t have such capabilities of spying.

Ibrahim moreover gestured, they wish they could have the capabilities discussed in the report.

So we perhaps can say here that GDGS might not be involved directly here; though, it could be the work of a rogue employee working in it.

What data the hackers exactly captured from infected devices?

Lookout/EFF team stated they uncovered the spy tools and a ton of data stolen from thousands of victim’s phone.

The data includes contacts, text messages, documents, encrypted conversations, photos, and audio.

Mainly the targets were located in the surrounding regions including Saudia Arabia and Syria, and Lebanon itself.

One shocking thing here is, the operation didn’t target people from Israel or Iran.

Why so shocking?

The reason is, those are the two top targets of governmental cyber-spy attacks.

The report suggests that victims also live in some European countries too. Those include China, Russia, United States, South Korea and Vietnam.

How is Dark Caracal (the malware in question) built?

An interesting fact is, the hackers built their malicious software by borrowing code from developer sites (Facebook, Whatsapp, and Signal).

They relied heavily on the social engineering for ticking people into clicking links that sent victims to a website called SecureAndroid – which in fact, is a fake Android application store.

There, users got fooled to download the fake (but entirely functioning) versions of the privacy tools and encrypted messaging apps including Viber, Signal, and WhatsApp, that the lead researcher (Flossman) told promised targets secure experience “even better than their respective originals.”

Once installed, the malware can take photos (either with front or the back camera), silently activate mobile phone’s microphone to record nearby conservations – all remotely.

Google Knows and is working on it

In late 2017, upon notification by researchers to Google, search giant worked with the researchers as an effort for finding apps concerning this attack.

A spokesperson from Google said that not a single app out of all was present on official Google play for the Android users.

The spokesman further added, firm’s unified security system, Google Play Protect that runs on numerous Android devices, have been in continuous update operation in an attempt for protecting users from such malicious applications.

The company is working on removing them from all affected devices, too.

To return to the subject, Lookout found some links between Lebanon-linked cyberattacks and the ones tied to Kazakh government in Central Asia. Report on that was published back in 2016 named as “Operation Manual” published by the Electronic Frontier Foundation alongside other experts.

Now, both of the research groups (Lookout and EFF) agreed to team up for further investigation. The groups have found that Kazakh group was more likely a client of these Lebanon-based hackers.

What can I do to protect myself the easy way?

If you want to keep yourself protected from any Android-based malware, remember one rule of thumb; always download applications only from official Google Play Store.

Do not download an app from a third-party website, ever.

Ali Qamar
the authorAli Qamar
Editor
Ali is an Internet security and tech enthusiast who enjoys "deep" research to dig out modern discoveries in the tech and security industry. Before turning to tech and security, he worked in marketing and management sector. He is passionate about sharing the knowledge with people and always try to give only the best.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.