Michael Flossman
Michael Flossman

A malicious chat app that was advertised on Facebook and sold in the Google Play store was discovered to execute a previously undiscovered spyware program linked to APT-C-23, an advanced persistent threat group allegedly with ties to Hamas.

Michael Flossman, head of threat intelligence at mobile security company Lookout, stated in remarks at the RSA 2018 conference on Friday that the mobile attack specifically targeted Palestinian individuals of interest.

According to a blog post from Lookout published a few days earlier, the app was advertised on Facebook as a free Android messaging service called Dardesh, but in reality acted in essence as a downloader for the final payload, a fresh-faced surveillance program named Desert Scorpion.

The spyware carries a host of capabilities, including file and data exfiltration (even for docs found in external storage); sending and retrieving SMS messages; tracking the device location; recording video and audio; uninstalling apps; placing calls; retrieving contacts, uninstalling apps, determining if a device is rooted, and more. If running on a Huawei device it will also attempt to add itself to the protected list of apps able to run with the screen turned off, reports Lookout further reported.

Google reportedly removed the offending app from its online store promptly after Lookout's private disclosure.

Lookout researchers theorize that APT-C-23, aka Two-Tailed Scorpion, is behind Desert Scorpion because the Facebook profile it used to promote the malicious Dardesh app (and link to Google Play) was previously used to post Google Drive links leading to FrozenCell, another spyware family attributed to the same threat group. Moreover, the command-and-control infrastructure used by both malware reside in similar IP blocks, the blog post notes.

Earlier this month, ClearSky Cyber Security also acknowledged the Dardesh campaign via Twitter.

Despite referencing the Desert Scorpion campaign, Flossman also spent most of his RSA presentation profiling a different threat group -- Dark Caracal, which researchers strongly believe is affiliated the Lebanese General Directorate of General Security (GDGS).

However, the threat groups in behave similarly in certain respects, in that they both heavily rely on mobile phishing campaigns to infected their intended victims. "Same sort of attack vectors, same sort of capabilities, and a lack of [use of] exploits as well," said Flossman, who co-presented with Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation.

Flossman noted that mobile phishing operations are an alluring strategy for threat groups like these because they don't require much sophistication and offer numerous vectors for malicious communications outside of email, including via text and apps.

"The barrier to entry in this space is definitely being reduced," said Flossman during his presentation, "and as a result, there's a definite increase in actors having the capability in the mobile space" to infect victims and steal their sensitive personal information.