A cyberespionage operation targeting Android users in the Middle East has been exfiltrating the data of unsuspecting users since June 2015.
A cyberespionage operation targeting Android users in the Middle East has been exfiltrating the data of unsuspecting users since June 2015.

A cyberespionage operation targeting Android users in the Middle East has been exfiltrating the data of unsuspecting users since June 2015.

Dubbed ZooPark, the malware used in the campaign started off as a very basic malware and has since evolved into a complex spyware with several features.

Kaspersky researchers identified several news websites that had been hacked by the attackers to redirect visitors to a downloading site that serves malicious APKs.

Upon successful infection, the malware steals contacts, account data, call logs, audio recordings of calls, pictures stored on the devices' SD card, GPS location, SMS messages, installed application details, browser data, key logs and clipboard data. ZooPark didn't always have these capabilities however, researchers said.

“From the technical point of view, the evolution of ZooPark has shown notable progress: from the very basic first and second versions, the commercial spyware fork in its third version and then to the complex spyware that is version 4,” researchers said in a report detailing the espionage campaign. “This last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware.”

Most of the attacks were concentrated in Morocco, Egypt, Lebanon, Jordan, and Iran and were distributed via Telegram channels and watering holes with the latter being the preferred attack vector.

Concerning the Telegram method, several samples mimicked a voting application for the Iranian Kurdistan province. The fake voting app instructed used to download malicious software.

Researchers broke the malware up into four version with the fourth version being the most recent variant.  

The first versions merely exfiltrate contacts and accounts while version two was updated to steal call logs, GPS, SMS messages and device info. The third version added the capability to exfiltrate audio call records, installed application details, bookmarks, and history from browser data, photos, and pictures.

The fourth and finally version is an all-out modern spyware with the ability to exfiltrate key logs, clipboards, arbitrary files and folders, search history from browser data, capture photos, videos, audio, external data from a default list of applications and a backdoor functionality for shell commands execution with or without root silently sending SMS messages, and make calls.