WhatsApp used in mobile data theft, state-sponsored espionage

Android phone

A new malware espionage campaign has been intercepted and discovered affecting thousands of people in more than 20 countries using fake Whatsapp and other messenger apps. The malware has stolen hundreds of gigabytes of mobile data through Android smartphones.

The Electronic Frontier Foundation (EFF) and mobile security firm Lookout Inc released a report on Thursday exposing the espionage campaign used by hosts through malware-infected clones of messaging clients like WhatsApp and Signal. Called Dark Caracal, this vulnerability gives cybercriminals the ability to steal mobile data, retrieve location information, take photos, capture audio and more.

Also read: Malicious Google Chrome extensions found affecting over half million users

Researchers speculate that the threat may be state-sponsored as it "appears to employ shared infrastructure" linked to other nation-state actors. In fact, Dark Caracal can be traced "to a building belonging to the Lebanese General Security Directorate in Beirut".

Eva Galperin, director of Cybersecurity at EFF, says impacted people come from the US, Canada, Germany, France and Lebanon and are found to be military personnel, activists, lawyers and journalists. Stolen data ranges from audio recordings and call records to photos and documents.

"This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person's day-to-day life," says Galperin in a statement.

Also read: Social media to manoeuvre large-scale ransomware attacks in 2018

Cooper Quintin, a staff technologist at EFF, says Dark Caracal does not need a sophisticated or expensive exploit to operate on the ground. Granted application permission is all it needs to start doing its functions.

Dark Caracal is categorised as an APT (advanced persistent threat) whereby an unauthorised person gains access to a network and remains there undetected for a long period of time. The motivation for the attack is to steal data rather than to inflict damage to the network or organisation.

The threat has been operating since at least 2012. It took some time for experts to figure it out due to the diversity of seemingly unrelated espionage campaigns coming from similar domain names.

"Dark Caracal is part of a trend we've seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform," says Mike Murray, vice president of Security Intelligence at Lookout. "The Android threat we identified, as used by Dark Caracal, is one of the first globally active mobile APTs we have spoken publicly about."

This article was first published on January 19, 2018