Lookout researchers have uncovered a long-running surveillance campaign tied to Syrian nation-state actors, which recently started using the novel coronavirus as its newest lure to entice its targets to download malware. This campaign appears to have been active since the start of January 2018, and targets Arabic-speaking users, likely in Syria and the surrounding region.

None of these apps were available on the official Google Play Store, suggesting they were likely distributed through actor-operated watering holes or third-party app stores. Lookout previously reported on another surveillanceware campaign using COVID-19 related lures targeting Libya.

Below are some of the findings from Lookout's blog

Syrian Connections

Lookout researchers found 71 malicious Android applications connected to the same command-and-control (C2) server. The researchers note that the IP address of the C2 server is located in a block of addresses held by Tarassul Internet Service Provider, an ISP owned by - and sharing network infrastructure with - the Syrian Telecommunications Establishment (STE).  STE, claim the researchers, has a history of hosting infrastructure for the Syrian Electronic Army (SEA), a Syrian state-sponsored hacking group. Notably, the C2 servers of SilverHawk, an Android malware family previously reported on by Lookout researchers, were located on IP addresses belonging to STE.

Not all applications in this campaign were completely scrubbed of sensitive information when they were created, but a large portion of the malicious applications are SpyNote samples, which store C2 information, along with user inputted names, version numbers, and other information, in res/values/strings.xml, say the researchers. In the strings.xml files of these applications, 22 APKs reference “Allosh”, a name previously used in connection with a known Syrian Electronic Army persona  -  a group which has been active recently, with one of their Twitter accounts claiming responsibility this month for DDoS attacks against Belgian media, as well as defacing PayPal and eBay websites as recently as April 7, 2020.

Initial Discovery

Lookout researchs began the investigation with the discovery of an application (3c5fd8b163b32cde47dd50c4b61ab087c0cad8d4) called “Covid19”, an AndoServer malware sample that was signed and packaged on March 28, 2020. Upon launch, say the researchers, this application asks to install an application titled “قياس درجة” (Degree Measure), and requests permission to take pictures, video, and modify or delete contents of the SD card before removing its own launch icon.

The newly installed application (com.finger.body.temperature.ap) is a benign prank, report the researchers - a fake digital thermometer that is meant to serve as a decoy, while the malware continues to operate in the background.

According to the researchers, AndoServer samples receive commands, and are capable of:

  • Taking a screenshot
  • Getting battery levels and if the device is plugged in
  • Reporting location (latitude and longitude)
  • Getting a list of installed applications
  • Launching an application specified by the malicious actor
  • Checking the number of cameras on a device
  • Choosing a specific camera to access
  • Creating a specific pop-up message (toast)
  • Recording audio
  • Creating a file on external storage
  • Exfiltrating call logs
  • Listing files contained in a specified directory
  • Calling a phone number
  • Exfiltrating SMS messages
  • Sending SMS to a phone number
  • Exfiltrating the contact list
  • Playing a ringtone and then sleeping

AndoServer malware has its C2 domain or IP address hard coded into the source code, add the researchers: "Each sample also has its own unique identifier string at the start of its communication with C2 servers, that appears to be for the actor to monitor which application in their arsenal is responsible for the compromise, as they can see the unique application installed by the specific victim.  While not always the case, some unique identifiers are similar to the name of the C2 domain, while other times they refer to the title of the application, highlighting another level of customization of this malware."

For more information and the full blog, please visit https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures