The servicemen in Israeli are under cyber attack, with thousands of devices that are compromised and turned into a spy gear.
According to the Kaspersky Lab, starting in the mid last year, more than 100 Israeli servicemen are hit by an attack which exfiltrated data to attackers’ command and control (C&C) servers. Then, these devices are pushed Trojan updates which allow the attackers to extend hackers to extend their powers.
Experts believe that the campaign is still going on and in its beginning stages, targeting various Android devices. The smartphones or tablets are once compromised and are turned into spying devices which can make use of their audio and video capabilities.
There are many social engineering techniques, leveraging various social networks in order to make soldiers share their confidential information.
According to the Kaspersky, which has worked with IDF C41 and IDF Information Security Department unit, here the victims are the Israeli servicemen of different ranks, most serving in the Gaza Strip.
Victims are using social networks to install a malicious application and once the APK file was downloaded from malicious address, that app needs to be installed manually. This app demands permission to delete and install all the packages and to write to external storage, as well as to access the Internet and to access the network state.
Depending on each device, the dropper relies on the configuration server to figure out which payload is best to download. The dropper also sends a list of installed apps on the device. Depending on what’s already there, one variant will pretend to be a YouTube layer, while others are chat apps, something we’ve noticed before with other types of malware.
One payload – “WhatsApp_Update” – is capable of executing manual commands triggered by the operator and scheduling tasks that collect information periodically from various sources.