Dark Caracal - Bad News for Business App Security?
Global malware espionage campaign revolved around compromised Android apps including Signal and WhatsApp - what does it mean for your business?
A previously unknown threat actor dubbed Dark Caracal has been identified as being responsible for cyber attacks on thousands of victims in more than 20 nations worldwide. The multi-stage attacks involve a range of attack vectors, often including trojanised Android apps, according to researchers from Lookout and the Electronic Frontier Foundation (EFF).
The group use a blend of social media, phishing and even physical access to compromise targets, deploying malware ranging from custom-build sophisticated spying tools through to off-the-shelf malware from the dark web. The group has been active since at least 2012, exfiltrating hundreds of gigabytes of data from victims. Due to readiness to blame groups such as FancyBear for nation-state or politically motivated hacking, the researchers believe that Dark Caracal was able to operate undisturbed.
Interestingly, the Android malware most widely used by the hackers, called Pallas, doesn't make use of any new zero-day or unpatched vulnerabilities in Android, and does not require root access. Pallas in fact relies on the permissions it is installed with, which potentially leaves business defenders focussed on zero-day Android exploits at a disadvantage.
It is thought that Dark Caracal has intercepted 486,766 text messages by using the Pallas mobile malware and stolen more than 264,535 files from a string of nations including the United States, China, France, India, South Korea and several Middle Eastern nations.
The primary infection vector is via infected Android applications, most commonly WhatsApp and Signal pastiches. While the original purpose of the group appears to have been targeted espionage, there is evidence that the platform has been rented out to other entities.
"This is definitely one group using the same infrastructure," Eva Galperin, the EFF's director of cybersecurity, told The Register. "We think there's a third party selling this to governments."
"Aliases associated with op13@mail[.]com include Nancy Razzouk, Hadi Mazeh, and Rami Jabbour. All of the physical addresses listed in the WHOIS domain registrations associated with op13@mail[.]com tend to cluster around the SSID: Bld3F6 Wi-Fi locations. This is near the General Security building in Beirut," the report stated.
For details on more than 90 indicators of compromise (IOC) associated with Dark Caracal including 11 different Android malware IOCs; 26 desktop malware IOCs across Windows, Mac, and Linux; and 60 domain/IP based IOCs check the Lookout report here.
In the meantime, if you’ve downloaded a version of WhatsApp, Signal, or indeed any other app from a non-official Google Play source, then there is a solution.
High-Tech Bridge’s free online service “Mobile X-Ray” tests mobile applications for common weaknesses and vulnerabilities, including OWASP Mobile Top Ten, and provides a user-friendly report. In testing late last year, High-Tech Bridge researchers found that more than 78% of applications have at least one high and two medium risk vulnerabilities, and uncovered least one OWASP Mobile Top Ten vulnerability in 97% of applications. The service has now tested a massive 42,000 apps since launch.
Of course, even downloading apps from the official Google Play store should not be done without a certain amount of caution. Recently CheckPoint researchers reported that they had found around 60 apps designed for children in the official Google Play store that were infected with malware. The apps had been downloaded between 3 million and 7 million times...