A group of highly talented and well resourced hackers are spying on the Israeli Defense Force by hacking into the personal smartphones of individual soldiers, according to newly released research by Lookout and Kaspersky.
More than 100 Israeli servicemen are believed to have been effectively targeted with the spyware.
Dubbed ViperRAT, the clandestine hacking collective was found actively hijacking soldiers’ Android-based smartphones to remotely siphon images and audio directly from the devices. By compromising dozens of mobile devices, researchers say that the hackers were able to successfully establish an expansive espionage campaign.
Highly sophisticated malware allowed the attackers to control each phone’s microphone and camera. In effect, the hackers were able to eavesdrop on soldiers’ conversations and also peer into live camera footage — wherever an affected smartphone’s camera would be pointed, that vantage point could have also been viewable to the hackers.
In addition, the malware forces the smartphone to transfer geolocation, call log, and cellphone tower information, network and device metadata, personal photos, SMS messages, internet browsing and application download history, to a mysterious server.
A vast majority — roughly 97 percent — of the total 8,929 files that were exfiltrated by the hackers via IDF phones were identified by Lookout researchers as being encrypted images, which were taken using the phone’s own camera.
The IDF worked closely together with private industry, including Kaspersky Labs, to investigate this incident, which first gained notoriety several months ago when a cohort of fake users on a popular dating application began sending malicious links to Israeli servicemen.
At the time, it was theorized that Hamas was behind these attacks. It is now clear that this elaborate social engineering scheme was part of a much larger espionage effort driven by a far more advanced actor.
“Hamas is not widely known for having a sophisticated mobile capability, which makes it unlikely they are directly responsible for ViperRAT,” a Lookout blog post reads. “ViperRAT has been operational for quite some time, with what appears to be a test application that surfaced in late 2015. Many of the default strings in this application are in Arabic, including the name. It is unclear whether this means early samples were targeting Arabic speakers or if the developers behind it are fluent in Arabic. This leads us to believe this is another actor.”
Lookout’s research team found that ViperRat used several different mechanisms to infect devices.
With the dating application honeypot, soldiers were encouraged by what appeared to be a young woman to download a trojanized version of two different, typically legitimate chat applications, SR Chat and YeeCall Pro.
Other Android smartphone applications common to Israeli citizens and available in the Google Play store — including a billiards game, an Israeli Love Songs player, and a Move To iOS app — where found to contain hidden ViperRat malware.
Notably, as an evident indicator of sophistication, after the malware infected a target phone it would hide subsequent, additional payload downloads by naming them as application and systems upgrades. Being listed as a WhatsApp Update or Viber Update, for example, made it more difficult for investigators to pinpoint malware stored on the phone.
“Mobile devices are at the frontier of cyber-espionage, and other criminal motives. Enterprise and government employees all use these devices in their day-to-day work, which means IT and security leaders within these organizations must prioritize mobile in their security strategies,” Lookout Security Researcher Michael Flossman wrote.