Dark Caracal Group Revealed: Group Used Trojanized Android Apps to Steal Data

Nonprofit organization Electronic Frontier Foundation (EFF), together with a mobile security firm, identified a hacking group dubbed as Dark Caracal as the perpetrators behind cyberattacks that affected thousands of victims from over 20 countries.

According to the report from EFF and the mobile security firm, Dark Caracal stole “hundreds of gigabytes” of data from thousands of people. Stolen data included audio recordings, text messages, call records, documents, photos, contact information, secure messaging client content, account data, and enterprise intellectual property. The group was found to have advanced capabilities and are known to target governments, military, financial institutions, manufacturing companies, and defense contractors.

To carry out its attack, Dark Caracal uses trojanized Android apps to compromise a targeted system. The malware includes a custom-developed mobile spy tool called Pallas and more commonly used tools such as FinFisher and Bandbook RAT that can be acquired through dark web marketplaces.

According to the report, there is an implant component for infected Windows, Mac, and Linux desktops. However, the campaigns are primarily aimed at infecting Android devices via fake secure messaging apps such as Signal and WhatsApp.

The attack starts off as a lure placed on a Facebook group or WhatsApp messages. Messaging would include political ones or links to Facebook groups that Dark Caracal believes would be of interest to the victim. A successful phishing attack on WhatsApp leads the victim to a watering hole server, while those who use Facebook are sent to a malicious website that masks itself with a Google, Facebook or Twitter domain.

Once inside a victim’s device, the attack involves gathering stored images, texts, and even use the phone to take photos of what the owner is doing. The largest amount of data came from six Android campaigns that delivered 48GB of information, while an additional 33GB of information was harvested from Windows campaigns.

The EFF also clarified that WhatsApp had been compromised but the infections came from trojanized versions of the Android apps hosted by a fake version of an app store. They also assured users that if the apps were downloaded from Google Play, “then you are almost certainly in the clear.”

These attacks orchestrated by the Dark Caracal group is reminiscent of AnubisSpy (ANDROIDOS_ANUBISSPY), a type of malware that has a payload package called a watchdog. It can steal messages, photos, videos, contacts, email accounts, calendar events, and browser histories, and can also take screenshots and record audio—including voice calls. It spies on the victim through apps installed on the device that can be updated through its configuration file. After AnubisSpy collects the data, it is then encrypted and sent to a C&C server, and is capable of self-destructing to cover its tracks.

The problems of spyware and threats such as AnubisSpy highlights how important it is to secure mobile devices. Some of the best practices for mitigating mobile threats would include enforcing the principle of least privilege and implementing an app reputation system.

Trend Micro solutions for mobile security

Trend MicroMobile Security for Android™ (also available on Google Play) detects these malicious apps. End users and enterprises can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.

For organizations, Trend MicroMobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.

Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.