So much focus is placed on sexy, novel ways that government intelligence agencies break into modern-day smartphones, it’s easy to forget that cheap and simple often works just as well. Research from cybersecurity firm Lookout and digital rights NGO the Electronic Frontier Foundation published Thursday proves just that, detailing a successful surveillance campaign on around 500 phones running Google’s Android operating system, tracing the infections back to a Beirut building owned by a Lebanese intelligence agency.
The hackers have been dubbed Dark Caracal and, after mistakenly leaking digital clues, were traced back to a building belonging to the Lebanese General Security Directorate in Beirut, where the country’s chief communications intelligence agency operates. The researchers claimed the group had stolen hundreds of gigabytes of data across more than 20 countries in North America, Europe, the Middle East and Asia, with at least 2,000 victims in total. Michael Flossman, security researcher at Lookout, told Forbes there are likely many thousands more infected with the group’s various spywares for PCs and cellphones, noting he and his colleagues didn’t have complete visibility of the Dark Caracal attacks.
A social Caracal
What struck Flossman, as well as fellow researchers Mike Murray from Lookout and Cooper Quintin from the EFF, was the lack of sophistication and the success of the smartphone attacks. Looking through the surveillance efforts dating back to 2012, no “zero-day exploits” (hacks of previously-unknown, unpatched vulnerabilities) were used, nor did the attackers have to get their malware onto the Google Play store. Instead, they relied on basic social engineering and the permissions granted to its malicious apps once downloaded.
They started by phishing over WhatsApp where messages were sent encouraging users to visit a website the hackers controlled. From there, the targets were promised updates to secure messenger apps, including WhatsApp, Signal, Threema and Telegram, as well as Orbot, an app to access the dark web over the anonymizing Tor network on Androids. Those apps contained the Dark Caracal surveillance malware, dubbed Pallas, which was capable of doing what any surveillance app would want: take photos, steal data, spy on communications apps, record video and audio, and acquire location.
With Google’s help, the researchers also found Pallas code in several apps claiming to be Adobe Flash Player and Google Play Push. Fake Facebook personas and groups were also set up to find targets and coerce them into downloading malicious apps, whilst news-themed lures were also deployed to draw people into the hackers’ web.
Flossman noted that whilst the attackers did a bad job of covering their tracks, to the point where their location could be uncovered, they were still successful. “It really goes to show, attackers don’t need access to zero-days to be effective. There were no exploits but it was still incredibly effective. We’re seeing that from a number of different actors than these guys. There’s a lot of value and intelligence you can get from mobile and the investment you need is quite low.”
Quintin added: “Countries that, unlike the Five Eyes, can’t afford a global mass surveillance apparatus are increasingly turning towards these tactics to spy on dissidents who are beyond their borders.”
Whilst Apple Mac and Windows devices were targeted in Dark Caracal’s various campaigns, most information was stolen from Android devices. At least six distinct Android campaigns were linked to one of the attackers’ servers that was left open for analysis, revealing 48GB was stolen from phones running the Google software. That was compared to 33GB from Windows computers. Overall, attackers were able to acquire more than 250,000 contacts and 485,000 text messages from Androids. Sensitive data such as bank passwords and PIN numbers were recorded too.
The group not only developed its own tools, but also purchased malicious code, either from sellers on the dark web, or from commercial vendors, including FinFisher, a business operating in the lawful intercept market. The latter had previously been linked with sales to Lebanon, and has been criticized for selling to regimes with less-than-stellar human rights records. Though he couldn’t say whether the FinFisher Android spyware had been used, Flossman noted it was a previously-unrecorded tool in the firm’s powerful surveillance arsenal. The company hadn’t responded to a request for comment at the time of publication.
Tracing the Caracal’s paws back to Beirut
Neither the Lebanese intelligence agency nor the country’s embassy in London had responded to requests for comment at the time of publication. The researchers said it was possible the agency wasn’t behind the attacks, which could’ve been carried out by a rogue actor within the building or by others who’d infiltrated systems in the facility.
To trace the malware back to the General Security Directorate, the researchers acquired information on test Android devices on which the hackers trialled their attacks. Looking at the Wi-Fi networks that were used by those test devices, they were able to triangulate just where the phones had been. They also discovered IP addresses on the attackers’ servers, two of which were located just south of the complex.
Whilst the apps weren’t sitting on Google’s official Play store, the Mountain View giant is aware of the malware and updated Play Protect, a program designed to block malware on Androids. Google hadn’t provided comment for this article at the time of publication.
The researchers couldn’t say for certain whether the Lebanese government had sponsored the attacks. But there were indications a nation state was behind the operation. “Dark Caracal targets include individuals and entities that a nation state might typically attack, including governments, military targets, utilities, financial institutions, manufacturing companies and defense contractors. We specifically uncovered data associated with military personnel, enterprises, medical professionals, activists, journalists, lawyers and educational institutions during this investigation. Types of data include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos and account data,” the research report read.
Even the sloppiest spies can pull off huge data hauls then, especially when people fall for the same old tricks over the newest technology.