Researchers at Lookout and EFF have discovered Dark Caracal, an international espionage campaign that relied on fake versions of secure messaging apps. (Representational Image. Source: Reuters)
Dark Caracal, a global spyware espionage campaign allowed hackers to spy on thousands of people in more than 20 countries and steal hundreds of gigabytes worth of data. This was revealed in a report shared by the The Electronic Frontier Foundation (EFF) and mobile security company Lookout. The report by EEF and Lookout says that the spyware campaign relies on fake version of messaging apps like Signal, WhatsApp and then steals data.
“People in the US, Canada, Germany, Lebanon, and France have been hit by Dark Caracal. Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos,” EFF Director of Cybersecurity Eva Galperin said in a press statement. She added this was a “very large, global campaign, focused on mobile devices.”
According to the report, these “trojanized apps”, which include fake versions of Signal and WhatsApp, appear to be just like the legitimate app and can send and receive messages. But the fake apps allowed attackers “to take photos, retrieve location information, capture audio, and more.” According to the EFF and Lookout, Dark Caracal may have been deployed by a nation-state actor. The report says Dark Caracal has been traced to a building belonging to the Lebanese General Security Directorate in Beirut.
“Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform. The Android threat we identified, as used by Dark Caracal, is one of the first globally active mobile APTs we have spoken publicly about,” Mike Murray, Vice President of Security Intelligence at Lookout said in a press statement.
Dark Caracal appears to have been active for sometime. The researchers have pointed out that the spyware campaign has been operating since at least 2012, but it has been hard to track because of other, seemingly unrelated espionage campaigns originating from the same domain names. They also believe Dark Caracal is just one from a number of different global attackers using this very same infrastructure.
The other worrying feature about Dark Caracal is that it does not require any sophisticated equipment or expensive exploit to be carried out. Given that the hackers are relying on fake version of messaging apps, they could easily get permissions to access data, camera, speaker, etc on the phone. This is because users tend to grant these to all messaging apps in order to use many of the features.
Lookout also says they worked directly with the Google Android Security Team to fix the threat on the platform and the “team was highly responsive and worked to find the malicious apps and protect customers.” Once again, when downloading apps, customers should keep in mind that they are doing this from the official Play Store, and not third-party store apps. Also it is best to check the official developer before downloading the app, in order to avoid fake apps, malware or spyware.