A new android campaign was found spreading across the Middle East in an attempt to steal device and communications data belonging to Android users. The campaign which has been dubbed as ViceLeaker was found to be active since May 2018.
According to the researchers at Kaspersky, several android devices of Israeli citizens were targeted in the earliest recorded attack and on analysis of APK, a spyware program was revealed that was designed to exfiltrate almost all accessible information.
The main infection vector appears to be through the Telegram and WhatsApp messenger apps. Links to fake Trojanized apps are sent to the victims. The mobile malware also injects legitimate mobile applications with a backdoor for continuous access after compromising an Android device.
The actors behind the malware uses injection technique called Smali, together with the Baksmali tool, to rip apart the original app’s code, add their own malicious tweaks, and recompile it.
The malicious ViceLeaker APK contained a variety of very common spyware features including the exfiltration of SMS messages, call logs, and device information such as phone model, the operating system in use, and a list of all installed applications.
Kaspersky states that ViceLeaker is different due to its backdoor functionality, the ability to take over the device’s camera, to record audio, and to both steal and delete files stored on the mobile device.
They also found a sample of a modified version of the open-source Jabber/XMPP called “Conversations” that belongs to the ViceLeaker group. Even though the legitimate program is available on Google Play, the modified version sends the C2 geographical coordinates whenever a message was sent via the app. The modified Conversations app appears as Telegram Messenger on mobile devices.
According to the researchers, they did not find any malicious thing in the conversation app even though it was a backdoored version of the app used to infect victims. So they believe that it might be a version used by the ViceLeaker group for internal communication or any other purposes.
The operation of ViceLeaker is still ongoing, the attackers have taken down their communication channels and are may be looking for ways to assemble their tools in a different manner.