Two separate incidents of surveillance-ware were found in the Google Play Store, targeting Middle East organizations.
Google has removed the offending apps, ViperRAT 2.0 and Desert Scorpion, but they both represent a rare instance of a malicious mobile APT (mAPT) in an official app marketplace.
According to Lookout Security, ViperRAT 2.0 represented the resurgence of a mAPT that originally targeted individuals in the Israeli Defense Force (IDF).
Early last year, Lookout researchers reported on the discovery ViperRAT, when it compromised IDF personnel through social engineering. They were prompted to download third-party chat apps by attackers posing as attractive young women. The “young women” would send a link to a target and persuade the mark into clicking on it and installing a Trojanized app.
ViperRAT 2.0 was packaged inside of custom mobile chat apps.
“The first, VokaChat, had received between 500 and 1,000 downloads, while the second, Chattak, listed the number of downloads as between 50 and 100,” Lookout said. “It is interesting that in these new samples, the chat functionality was fully implemented, something that is different from the previous samples. Furthermore, command and control infrastructure for the two samples remained active…and even included the privacy statement that Google requires from developers who publish to the Play Store.”
Meanwhile Desert Scorpion, related to APT-C-23 and the FrozenCell spyware family, targeted individuals in Palestine and was also packaged inside mobile messaging apps. Lookout has seen this actor rely heavily on phishing campaigns to trick victims into downloading their malicious apps, specifically on Facebook. The firm was able to tie the malware to a long-running Facebook profile that it observed promoting the first stage of this family, a malicious chat application called Dardesh, via links to Google Play.
“Even sophisticated actors are using lower-cost, less technologically impressive means like phishing to spread their malware because it's cheap and very effective, especially on mobile devices where there are more ways to interact with a victim (messaging apps, social media apps, etc.), and less screen real estate for victims to identify potential indicators of a threat,” Lookout explained.