Cybercriminals are using social media and social engineering to dupe victims into downloading Advance Persistent Threat spyware disguised as the Kik messenger app.
The spyware dubbed “Tempted Cedar Spyware” is designed to steal information like contacts, call logs, SMS, and photos, as well as device information, like geolocation in order to track users and was capable of recording surrounding sounds, including conversations victims had while their phone was within range, according to a Feb. 21 Avast blog post.
“The spyware's infection vector involves social engineering using attractive, but fictitious Facebook profiles,” researchers said in the post. “The fake Kik APK sent to victims is masqueraded as a legitimate Kik Messenger app, however, after gaining access to victims' phones, the spyware starts to exfiltrate sensitive data, sending data back to the attacker's infrastructure.”
Campaign running under radar since 2015 targeting people in Middle Eastern countries.
Threat actors used fake Facebook profiles using stolen pictures of attractive women to lure users, most likely men, into steamy chats before offering to move the conversation from Facebook to a more “secure and private” platform to have more intimate interactions. The victims are then directed to the phishing sites to download the spyware hidden in a Kik Messenger app which requires users to adjust their device settings to install apps from unknown sources.
Researchers noted that three of the fake profiles used in that campaign interacted with one another on Facebook to appear more credible.
Researchers suspect Lebanese threat actors are behind the malware due to the working hours in the SSH log corresponding with Eastern European and Middle Eastern time zones and the infrastructure used in the campaign.
The spyware is split into different modules with specific commands, each of which are designed to gather a user's information.
To prevent infection researcher recommend users use antivirus software, don't talk to strangers online, Never open links or download software sent to you from untrusted sources, and only download from trusted sources.
Researchers alerted law enforcement to the malware.