Experts at Kaspersky have exposed a spyware campaign labeled ViceLeaker that spreads in the Middle East to stake out Android users.
Kaspersky speckled a spyware campaign, traced as ViceLeaker, that spreads in the Middle East to steal device and communications data from Android users.
Active since May 2018, the ViceLeaker campaign has targeted scores of mobile Android devices belonging to Israeli citizens. The campaign was also monitored by researchers at Bitdefender that labelled the malware Triout.
The attack chain begins with spiteful Telegram and WhatsApp messages comprising links to Trojanized apps, one of which was a bogus application named “Sex Game For Adults.”
Attackers aim to backdoor genuine applications with an unfamiliar injection technique called Smali.
The mobile malware also seeks to inject authentic mobile applications with a backdoor for tenacious access once it has compromised an Android device.
“To backdoor legitimate applications, attackers used a Smali injection technique – a type of injection that allows attackers to disassemble the code of original app with the Baksmali tool, add their malicious code, and assemble it with Smali.” reads the analysis published by Kaspersky. “As a result, due to such an unusual compilation process, there were signs in the dex file that point to dexlib, a library used by the Smali tool to assemble dex files.”
ViceLeaker leverages HTTP for C&C communications and to transfer exfiltrated data.
During the probe, Kaspersky also marked a model of a adapted version of the open-source Jabber/XMPP called “Conversations.” The contaminated version used by the ViceLeaker group sends the C2 topographical coordinates every time a message was sent via the app.
The changed Conversations app mimics Telegram messenger, but experts did not find any spiteful activity executed by this specific app.
Experts were aware of the likelihood that threat actors might be using a negotiated email account, examining it they found an individual page and a GitHub account that contains a forked Conversation source.
Kaspersky said that the ViceLeaker campaign is still continuing, but presently, attackers have taken down their communication channels.
“The operation of ViceLeaker is still ongoing, as is our research,” Kaspersky concludes. “The attackers have taken down their communication channels and are probably looking for ways to assemble their tools in a different manner.”