Dark Caracal Global Malware Espionage Campaign Targets Thousands Of Android Users


Well this is disturbing—researchers at the Electronic Frontier Foundation (EFF) and mobile security company Lookout have discovered a cyber-espionage campaign that has been operational since 2012 and is aimed at Android users. The campaign, dubbed Dark Caracal, has infected thousands of Android devices in more than 20 countries, resulting in the theft of hundreds of gigabytes of data.

The malware that is being doled out as part of Dark Caracal is mostly focused on spoofing secure chat messaging clients on mobile devices. Among them are fake versions of Signal and WhatsApp, which appear to work like their legitimate counterparts, except they are infected with malware. Once installed, cyber criminals can use a victim's Android device to take photos, retrieve location information, record audio, and more.

"People in the U.S., Canada, Germany, Lebanon, and France have been hit by Dark Caracal. Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos," said EFF Director of Cybersecurity Eva Galperin. "This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life."

Android Chart
Source: Lookout (PDF)

Initial analysis has led EFF And Lookout to believe the perpetrators might be a nation-state actor. The firms also believe the culprit is using a shared infrastructure that has been linked to other nation-state actors. One particular trace of Dark Caracal led the researchers to a building belonging to the Lebanese General Security Directorate in Beirut.

"Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform," said Mike Murray, Vice President of Security Intelligence at Lookout. "The Android threat we identified, as used by Dark Caracal, is one of the first globally active mobile APTs we have spoken publicly about."

One thing that has made Dark Caracal so difficult to track is the diversity of what appear to unrelated espionage campaigns using the same domain names. EFF and Lookout believe  that Dark Caracal is one of many different global attacks using the same infrastructure. Part of what's both interesting and concerning is that Dark Caracal does not require a sophisticated or expensive exploit, it mainly relies on just application permissions that unwitting users grant when downloading fake apps containing malware.

As always, it's recommended that you only download apps from trusted sources.