“Dark Caracal” is the name that has now been given to a global espionage campaign which makes its presence felt in the form of Android (and Windows) malware. This was uncovered and jointly announced by Lookout and the Electronic Frontier Foundation (EFF) this week, and what is a concern with this particular malware is how it seems to be a concerted effort to specifically attack professional people. With the announcement directly noting “military personnel, enterprises, medical professionals, lawyers, journalists, educational institutions, and activists” as potential victims. Further lending to the suggestion this is an espionage-focused attack, evidence points to the campaign originating and operating from a building in Beirut owned by the Lebanese General Security Directorate (GDGS), according to the report.
While this does seem to be a targeted attack, anyone can fall victim to the malware and many have with the announcement explaining that it has likely affected “thousands of victims” in more than 21 countries, and dating as far back as 2012. The malware (currently dubbed “Pallas”) manifests itself in multiple ways, one of which is fake apps with Signal and WhatsApp listed as two examples. With these being fake apps, users who have only downloaded apps from the Google Play Store are unlikely to be affected. With the announcement stating Google is aware of the issue and has confirmed that none of the target apps are available through the Google Play Store. Furthermore, Google also confirmed Play Protect has been updated to mitigate against the effects of devices that have the fake apps installed.
As a means to get these apps on devices, the campaign has adopted a typical phishing-based approach (as well as more direct measures) where for example, emails/messages and links are sent out to users pretending to be official communications from an app/brand (or known person) and directing users to the location of the fake apps. Once installed, the report notes copious amounts of data is likely to have been accessed and/or stolen, including, but not limited to, “documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.” The takeaway - once the app(s) have been installed, the devices effectively become spying tools for Dark Caracal. One of the main concerns about Pallas is how unsophisticated it is in terms of its accessibility. As the apps themselves do not require anything more than acceptance of the permissions asked when first downloading. Something which many users are likely to automatically agree to, as they are actively in the process of downloading the apps. Therefore, the ease of installation coupled with the use of phishing as a means of distribution results in a quick-acting threat from start to finish. For those interested in a greater understanding of Dark Caracal click here to read a more in-depth look provided by the EFF. Alternatively, head through the link below to download the full report form Lookout.