ViperRAT spyware resurfaces in Google Play Store

ViperRAT made waves last year after a wave of IDF personnel fell victim to social engineering attacks from hackers posing as young women.

One year after a hacking campaign targeted Israeli Defense Force soldiers, the ViperRAT malware family returned to the Google Play Store, according to new research from the mobile security firm Lookout.

ViperRAT made waves last year after a wave of IDF personnel fell victim to social engineering attacks from hackers posing as young women, who tricked the soldiers into installing third-party apps that copied files and spied on communications. The malware relatively disappeared after intense media coverage, but the new samples look even more sophisticated — so much so that they’ve snuck into the Google Play Store.

It’s not clear who is  being targeted or responsible for building the ViperRAT 2.0. The two ViperRAT malicious chat apps (called VokaChat and Chattak) in the Google Play Store were downloaded over 1,000 times before Lookout discovered and Google removed them.

“The chat functionality of the apps, which in earlier ViperRAT samples did not function, is now functioning,” said Andrew Blaich, Lookout’s head of device intelligence. “This means the app actually does serve a purpose and can hide in the noise of other social networking and chat applications, so that it doesn’t appear to be purely a surveillance implant at first glance. This ties into the cat-and-mouse game of actors trying to ‘tune’ their malware in such a way that it evades early detection so that it makes it into the Play Store.”


The appearance in Google Play is being called a “milestone” by researchers.

“It is believed that social engineering still plays a significant role in these latest attacks, however by hosting them on the Google Play Store, ViperRAT samples are likely to appear much more credible,” the researchers wrote. “Moreover, victims were no longer required to enable third party installations.”

Infecting a target is much easier when there is no need to enable third-party installations. By leveraging the credibility and ease of the Google Play Store, all targets have to do enable the malware is click “install.”

“Independent of the target or motive of the attackers, ViperRAT in Google Play demonstrates the increasing sophistication of mobile threats,” the researchers wrote. ” This is alarming to us, because as attackers continually find new ways to add legitimacy to their malicious apps, their phishing attacks will become more successful.”

Google did not respond to a request for comment.


ViperRAT, which first surfaced in 2015, was initially thought to be a possible campaign by the Palestinian political group Hamas in an effort to target Israeli soldiers. Lookout cast doubt on that hypothesis last year because of the malware’s sophistication, a fact that’s become even more pronounced since its initial discovery.

Android is by far the most popular operating system in the world, which makes Google Play the most important — and heavily targeted — official app store in existence. Google removed 700,000 malicious apps from the Google Play Store in 2017, the company said last year, a 70 percent increase over 2016. The majority of malicious apps are detected by machine learning and artificial intelligence, a majority threshold that was first passed in early 2017.

Android Play Protect, however, failed to measure up to competitors in security tests last year.

Latest Podcasts