Sophisticated Android malware, allegedly showing signs of a state-backed campaign, is being used to snoop on highly select targets in the Middle East, according to a report by Kaspersky Lab.
The operation, referred to as ‘ZooPark’, is thought to have been active since June 2015, and there is no indication that it has ceased operation.
The malware has a wide range of abilities – it can access contact information, call logs, pictures, messages and browser data, as well as making audio records of calls made using the phone, silently making calls itself, and executing shell commands. It also contains a keylogging function, allowing attackers to steal information such as usernames and passwords, as well as to capture photos and screenshots.
The latest version of the malware can also target messaging applications such as Telegram, WhatsApp and the Chrome web browser with attacks capable of exfiltrating internal databases.
The group obviously has a large background in offensive security operations and a lot of resources.
– Alexey Firsh, security expert, Kaspersky Lab
According to Kaspersky, there are two main distribution vectors for ZooPark: Telegram channels and watering holes. The latter are the preferred vector: researchers at Kaspersky found several news websites which had been hacked to redirect visitors to a downloading site serving malicious APKs.
One of the reasons the attack has stayed undiscovered for so long was that targets were carefully selected, according to Alexey Firsh, a security expert at Kaspersky, who said: “With our detection statistic, we observed less than 100 targets. This and other clues indicates that the targets are specifically selected […] The group obviously has a large background in offensive security operations and a lot of resources.”
Kaspersky researchers also commented that the target profile has evolved over the last years of the campaign, focusing on Egypt, Jordan, Morocco, Lebanon and Iran.
Other research from Kaspersky Lab shows that, at least based on results from the UAE, the Middle East is a particularly prolific user of smartphones and mobile devices – but users are less likely than the global average to have any kind of security software installed on them.
Given how long this highly targeted operation went undetected, and the suspicion of nation state level involvement (or at least an actor with comparable resources and expertise), it seems plausible that parallel and equally highly-targeted operations may still be ongoing.