An advanced persistent threat (APT) group called Dark Caracal is using fake WhatsApp and Signal apps to install spyware. The APT group has already gained access to many thousands of devices and has stolen hundreds of gigabytes of data. Individuals in at least 21 countries have had their mobile devices infected.
The APT group is highly advanced, and is believed to operate at the nation-state level, with strong evidence suggesting the group is based in Beirut, Lebanon. The group has been linked to the Lebanese General Security Directorate (GDGS), as it is believed to be operating out of a GDGS-owned building. GDGS has denied any involvement and said it does not have the capabilities of Dark Caracal, although it wished it did.
The APT group has previously been linked to attacks on governments, activists, journalists, educational institutions, and other high-profile targets.
The latest Dark Caracal spyware campaign was uncovered by the Electronic Frontier Foundation (EFF) and mobile security company Lookout. EFF/Lookout say this is a campaign designed to attack mobile devices rather than computers. Mobile devices contain large quantities of personal data about individuals and are extremely valuable spying tools. The attackers have been able to read text messages, obtain audio recordings by switching on the microphone, and take photos and video, as well as gain access to stored data and online accounts.
The spyware – called Pallas – is downloaded via fake Whatsapp and Signal apps, that function exactly like the legitimate applications. Users will be unaware that their device has been compromised.
EFF/Lookout contacted Google, which confirmed that the fake apps had not been downloaded from the Google Play store, which means they are being downloaded from third-party stores.
“All Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF Staff Technologist Cooper Quintin.“