The Carrier
- Lookout has identified 71 malware spreading Android apps, connected to the same command-and-control (C2) server.
- The long-running surveillance campaign, which appears to have been active since January 2018, has recently started using COVID-19 lures to take advantage of the panic caused by the pandemic.
The Malware
- 64 apps carry SpyNote, a family of commercial surveillanceware.
- The other apps carry SandroRat, AndoServer, and SLRat.
- The downloaded app serves as a distraction, while the malware runs in the background.
- While some AndoServer samples are only surveillanceware, others contain legitimate apps inside the malware, with benign APK hidden in the res/raw folder.
The Risk
- Once the malware is installed, hackers can:
- Take screenshots
- Record location (latitude and longitude)
- Choose and access the device camera
- Launch other malicious apps
- Exfiltrate contacts, SMS, and call logs
- Make calls and send SMS
The Threat Actor
- The IP of the C2 server belongs to an ISP owned by Syrian Telecommunications Establishment, which is known for hosting infrastructure for SEA (Syrian Electronic Army), a Syrian state-backed hacking group.
- 22 APKs, in strings.xml files of the apps, refer to “Allosh”, a name associated with an SEA persona.
- The SEA recently claimed responsibility for DDoS attacks on Belgian media, and for defacing PayPal and eBay websites.
Indicators of Compromise (SHA1 hashes of the malicious apps)
- 1aefc2ebaf1a78f23473ce6275b0b514bbcdfb08
- 213b7f8c3f26a87b116927143289886742b979a1
- 321682c8395216b6f71ac1f4a1188040bbddfeb4
- 8cae26c899440f890a8faca2e63ba42c0195cd3b
- ccb143b25cedf043a8be46a1f3c3f8a0a3e4c2b2
- 61ecf4d82246a22dc2d390eca1e20abd6b961083
- 1e30cc843a32db0296502795781f8064adbceee6
- a07370617fa695b047359ac345375d05a7135da0
- 915e3470e5ab85cb1fe565484b15004a19e88da6
- 3bfa1b4d98c02c43e7b3af9e536dbcd79e0b9197
- d14bb8de94e6f6a733b0962c6d0847376286874f
- 3c5fd8b163b32cde47dd50c4b61ab087c0cad8d4
- 4dcc2d9ef4921b3eb4e4dc72dd3716520d558102
- 07c1edf35c60ea6f2ff02df6e0bfa24abb3029c1
- 50c607a138e33c8cbdcf2f617f61095b7efa06da
- b1a9bc32ece469d7e2d43e894e68cb3bec17ac82
- 34cb80d4e5d19fcaf724b73aacfebbb19c79337e
- c21919c6064c739533878da39d0feaf83e99f586
- a62250430da13436b80a62f6a1fee67ed0050e37
- 246a17230dbe8a5c533231fa1da80d977985b111
- 358653280acdfd84b6ca326c9b06d12878af69c8
- 4ec39acfc6f3f9715d0d0e2b0a2f7121d617b605
- 9f09a4868f61d174ad075e5acaa8d849294dbf69
- 8952bdf2e3d777d01011e6f8619fca8835e8c434
- b9dffff37efbfb8e577ee242c8807db967704a0d
- 5f6019eae4a16abd11d981b2da5d4ef05115a5c4
- 0b7cf990bb0dc62dd44d9fa6410ca591dfe47a5d
- 08162ad39a6237e4eebacf764a5ca6158816a86e
- f2fb9826da43f92ff69686f999f205502a33342c
- c2e5287433a0e3c7d059494e65b87c3c36f74a47
- c7405d85a78a62003494f398084cff8f1794e2ab
- 16c9ef6ed5af0855a3e6b963ff9c2d65d70de11e
- bae5c56d3cd888ec19c42bf5d782de327d012a37
- 34cc91ad64f52420b6e1531c097ac1602af1f089
- 00455a4652faf751753b5ebfbb0656bee530f4ef
- b263eec151b11d0a6ebcfcf37b3b98458d2d530c
- 18cc448d71437e7a72558f6680ff10fb234fc64f
- 6a68f8d962adae7d767b6dfeb2d5b90be412b1f1
- 0fdc50226a7eb9aee6e6422907425d4531290374
- aa43f78a2667909546c3cd993a2940b076634379
- 5b2e709dfc95e9fc4e4343b92c76cc2193acd49a
- e6962b122e14e59c7c88a25d405d6c653b31590e
- 9c83fdecc8429bc278d03116ca9e2cff5013987e
- 53653984310845988103051e7acf4ed336150b99
- 18451fc0e8fbe878f242e7ee1834091c455f8fc1
- 0f7bf07352b4d1852f651dda350fd446b3477740
- 615863ce030f3de3e377352637d6ecc55dfd185a
- b46b241620a4d5682e9083ce726827fdbf4a96e5
- ab259f11163ea51767a6b17855bc0e79a8ae96e4
- 447165f88f951f8d26bc721f3047533a54f59ce0
- 29e04da270da0a6bedfcaee3f6fe8251d6cdef31
- 6cebf3c27fb348272b72041451b232f78190f83d
- e99ebc998ab63026b9b40fff55037c1b69a80369
- ddf2b474a0ed1b47278d00872a84d2a2405cc33c
- 01963c9c70102961cb8b424f623e9be32d7b255b
- 8d664c9753f7bf65a8cce69dca5486971d1f06ca
- 2d01b7691ce5647e60c566eda33166bf2e9bcc53
- 44d8bc4406227aeec9711b74f771c05ddfd3d173
- 0c04da70ba0771734f99eba05a5676713675d0e8
- 37e11e1a45f166b16170e8d649c3b75ee93e90a8
- dbfbfe43f04c58bcf5daa71df61dcc354bbf2d27
- dc3778ffb7399e009a287983f0113e15fd8b227e
- 1a0a65e6b4a2c42e5dc3d7db2179c04952a03948
- 69f475024e006b51f7ec6a1990bad460fe9805f0
- a32900a79d459da90e49ee8acf23dcfd03bfcb4b
- 5c8bf130f8e5c7756674a6d376dd7f25fbded4e4