The Syrian Electronic Army hacker group has reportedly been investing heavily in a scheme to infect Android device users with a spyware tool hidden inside fake app updates.

Known for its ardent support of Syrian President Bashar al-Assad, the threat group is targeting in particular  users of secure messaging apps such as WhatsApp and Telegram. The SEA is spreading malicious updates for these apps through a combination of watering hole websites and phishing emails, according to a report from Forbes, citing researchers at Lookout who presented their findings at the Black Hat conference in London this week.

These fake updates contain a spyware program called SilverHawk that dates back to 2016, the report continues. If a user accepts the fake update’s permissions, the spyware gains admin-level access and is able to access data, files and contacts, as well as operate the device’s microphone and camera.