Facebook uncovers cyber espionage campaigns targeting thousands that appear to be emanating from Pakistan and India.
A cyber espionage group believed to be operating out of India and Pakistan has been spying on thousands of people by using malware that masquerades as popular secure-messaging apps, according to a new report from Facebook.
The report details the efforts of a group known as Bitter APT, which has been installing malware on Android devices via fake versions of encrypted messaging apps WhatsApp, Signal and Telegram, which has surged in popularity among Ukrainians as a tool for communicating information about the Russian invasion (APT stands for “Advanced Persistent Threat” and is a designation typically given to state-sponsored hacking groups). Dubbed “Dracarys,” a name found in the malware code and a possible reference to Game of Thrones, Facebook says the malware can siphon off all kinds of information from an Android device, including call logs, contacts, files, text messages and geolocation data. It can also access a device’s camera and microphone.
Dracarys has been propagated on Meta’s social media sites, Facebook and Instagram, by hackers posing as attractive young women, journalists or activists, who convince their targets to download the bogus app. Once they’ve done so, Dracarys abuses the accessibility features intended to assist users with disabilities to automatically click through and grant broad device permissions such as the ability to access the camera.
According to Facebook, that trick meant the malware could harvest data on the phone and appear to be legitimate, meaning anti-virus systems failed to detect it. “It shows that Bitter has managed to reimplement common malicious functionality in a way that went undetected by the security community for some time,” Facebook wrote in its report.
Previously, Forbes reporting found links between Bitter APT and the Indian government, after the group had acquired an American company’s Microsoft Windows hacking tools. The Meta-owned social media giant would not say whether it believed Bitter APT was Indian in origin, but noted it operated out of South Asia, targeting people in New Zealand, India, Pakistan and the United Kingdom. Cisco’s Talos cybersecurity research division recently said the group has been running attacks since 2013 on energy, engineering and government entities in China, Pakistan and Saudi Arabia.
Android may not have been Bitter APT’s only target. Facebook also saw the group’s fake personas distributing links to downloads of an iPhone chat application. The hackers tried to convince targets to download Apple’s Testflight service for developers for testing apps and then install the chat app. By using Testflight, the hackers didn’t have to rely on a sophisticated technical hack of the iPhone, only their social engineering skills. Facebook was unable to determine whether this software actually contained any malicious code, but theorized “it may have been used for further social engineering on an attacker-controlled chat medium.” The company reported its findings to Apple.
Apple had not provided comment at the time of publication.
A Google spokesperson said, “The Android malware was not uploaded and distributed through the Play Store. All of the distribution domains have been blocked in Google Safe Browsing and the Android users who have installed these packages will receive a warning on their device.”
On Thursday, Facebook also announced action on a Pakistan-based government hacking unit known as APT36. It, too, was creating Android spy tools masquerading as apps including WhatsApp, Chinese social network WeChat and YouTube. That malware was effectively a modified version of a known Android tool known as XploitSPY, “originally developed by a group of self-reported ethical hackers in India.” It was also capable of snooping on contacts, call lists and listening to victims via the microphone of the device. APT36 had been spotted targeting people in Afghanistan, India, Pakistan, UAE and Saudi Arabia, “including military personnel, government officials, employees of human rights and other nonprofit organizations, and students.”
Mike Dvilyanski, Facebook’s head of cyber espionage investigations, said Meta has identified 10,000 users across at least nine countries that may have been targeted by APT36 and Bitter APT and is in the process of warning users directly over Facebook and Instagram. “If we think that you might have come into any contact with any of these groups, we want to alert you and we want to tell you the tools that you can use to secure your online presence,” he told Forbes.
Neither the Pakistan nor the Indian embassies in London had responded to requests for comment at the time of publication.
Source: forbes.com