Malicious Facebook password stealing apps: A global mobile espionage campaign that was in operation since 2012 was recently uncovered due to an exposed server on the open internet. According to the researchers, the espionage group was linked with Lebanese General Directorate of General Security (GDGS) and was able to collect hundreds of gigabytes of data, including personally identifiable information and intellectual property, from thousands of victims in more than 21 different countries
The espionage group dubbed Dark Caracal have targeted military personnel, medical professionals, journalists, lawyers, activists and more. The data stolen by them include call records, documents, secure messaging client content, browsing history, contact information, photos, and location data – enough information to identify a person and closely monitor his/her life.
As strange as it may sound, the hackers did not use any advanced ways to hack into their victim's system. Instead, the hackers used basic social engineering techniques that include sending posts on Facebook groups and WhatsApp messages, encouraging users to visit a website controlled by the hackers and application permissions.
Once tricked into landing on the malicious websites, the victims were served fake updates to secure messenger apps, including WhatsApp, Signal, Threema Telegram, and Orbot (an open source Tor client for Android), which eventually downloaded the Dark Caracal malware, dubbed Pallas, on targets' mobile devices.
Pallas is a malware that's capable of taking photographs, stealing data, spying on communications apps, recording video and audio, acquiring location data, and stealing text messages, including two-factor authentication codes.
Besides the Dark Caracal malware(Pallas), security researchers have also discovered a new piece of malware, dubbed GhostTeam, in at least 56 applications on Google Play Store. The application is designed to steal login credential and display pop-ups to their victims. The malware pose as various utility (flashlight, QR code scanner, compass) and device performance-boosting apps (file transfer, cleaner) and social media video downloaders.
When the malware is first installed, it confirms if the device is not a virtual environment. Once it knows it's running on a real device, the app downloads the payload, hiding it as a Google Play Services app. When the user next opens Google Play or Facebook on the infected device they get a popup urging them to install the fake Google Play Services app and then ask them to grant it administrator permissions.
Moreover, when the victims open their Facebook app the malware displays a fake prompt and asks them to reverify their account by logging into Facebook. The malware simply launches a WebView component with a fake Facebook look-alike login page and ask users to log-in. Apparently, WebView code steals the victim's Facebook username and password and sends them to a remote hacker-controlled server.
In addition to that, GhostTeam also aggressively pushes full-screen pop-up ads to the victim as a means of generating revenue from clicks. At present, all the apps have been removed by Google from the Play Store after researchers reported them to the company. The most users affected by the GhostTeam malware reportedly resides in India, Indonesia, Brazil, Vietnam, and the Philippines.
“In the modern era, mobile phones have become not only the most used digital equipment but a virtual organ of every user in the absence of which, most of us will have a hard time surviving. Your smartphone is basically a blueprint of you and your behaviours. It holds each an every detail of your day to day activity, be it access to your social media account, the log of places you've been and regularly visit, people in your life, how important they are or even your extremely personal information such as your identification tokens like biometrics and private conversations and digital media. it's all there,” said Ankush Johar, Director at Infosec Ventures.
“Humans are the weakest link in cybersecurity and hackers know that. Hence, it's not the first time when cyber criminals have leveraged social engineering tactics to infiltrate into personal/professional lives. Your security is in your own hands and you should be cautious with which messages, websites, emails and phone calls you trust,” said Johar
“If a hacker manages to gain access to your device he/she can access your messages, photographs, documents, contacts, email, social media accounts, mobile wallets, bank account details the log of places you've been – in short, everything that if misused can destroy you financially as well as socially,” said Johar.
Here are some following tips that should help you keep your mobile device secure :
- Always check what all permission the app requires the users to allow before installation. Stay cautious with permissions that don't seem legitimate, for instance, if a calculator app wants to access your call logs or messages it is clear that the app wants unnecessary permission and can be malicious. Trust your gut!
- Don't download apps from unknown sources, they can be infected with data-stealing malware hidden behind a genuine looking app. Stay away from pirated apps too as they are the main source of malware.
- Google recently launched “Google play protect”. Make sure that an application is verified by “Google Play Protect” else avoid downloading the app when using an Android device.
- Do not enter your confidential information like bank account details, personal identifiers, OTPs, passwords etc. on arbitrary applications. Carefully verify that the application is what it is claiming to be before entering any data into it.
- For added security, set your app store settings to “Do not allow third-party app downloads from untrusted sites.”
- Check the number of download before installing, if the number is less than 50,000, it might not be completely safe and legitimate.
- Check the reviews and ratings given by others users who have installed the application. If the ratings are unsatisfactory it is not preferable to download the app.
- Think Before you click! Your security is in your own hands, if you feel something seems phishy, go with your gut and stay away from it.