Secret Hacking Group Using Android Malware to Spy on Thousands: Research Findings

Research findings suggest that a secret hacking group is carrying out a shadowy hacking campaign targeting thousands of people and firms spread across 21 countries.

The group, which has been nicknamed Dark Caracal, has been operating out of a building in Beirut and has been stealing lots of confidential data- text messages, files, call logs etc from journalists, lawyers, activists, military personnel etc and also from many organizations. The findings have been published in a report jointly brought out by cyber security firm Lookout and digital civil rights group Electronic Frontier Foundation (EFF).

Here’s what the report says- “Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal2, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information. We are releasing more than 90 indicators of compromise (IOC) associated with Dark Caracal including 11 different Android malware IOCs; 26 desktop malware IOCs across Windows, Mac, and Linux; and 60 domain/IP based IOCs.”

The report also gives details regarding the targets and the kinds of data that get stolen- “Dark Caracal targets include individuals and entities that a nation state might typically attack, including governments, military targets, utilities, financial institutions, manufacturing companies, and defense contractors. We specifically uncovered data associated with military personnel, enterprises, medical professionals, activists, journalists, lawyers, and educational institutions during this investigation. Types of data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.”

The shadowy campaign uses custom top anti malware for android which are included in fake versions of certain messaging apps- Signal, WhatsApp etc, so as to help steal text messages, 2-factor authentication codes and other data from mobile devices. Similarly, the malware also helps the hackers activate a phone’s cameras and microphone, and thus photograph or record a target surreptitiously. The research-backed report also says that Dark Caracal hackers also use the FinFisher software (which is a surveillance tool often used by law enforcement and government agencies) to steal the data.

The Dark Caracal, as per the report, could be administering its tooling out of the Beirut headquarters building of the GDGS (General Directorate of General Security), an organization that does intelligence gathering for national security purposes and for its offensive cyber capabilities. The hacking group reportedly uses the same infrastructure that was previously used to target dissidents in Kazakhstan as part of the Operation Manul campaign.

The Lookout-EFF report says that Dark Caracal “…has successfully run numerous campaigns in parallel and we know that the data we have observed is only a small fraction of the total activity.” The researchers from Lookout and EFF have been observing infrastructure used by the secret hacking group starting July 2017; they have found that the group has been running six unique hacking campaigns, some of which had been ongoing for years. The victims are scattered all across the world- including the U.S., Russia, China, India etc.

The Dark Caracal, as per the Lookout-EFF researchers, “…follows the typical attack chain for cyber-espionage. They rely primarily on social media, phishing, and in some cases physical access to compromise target systems, devices, and accounts.”