US-based cybersecurity firm Lookout has discovered that the Syrian regime is waging a cyber hacking campaign against Syrian citizens and smartphone users by distributing coronavirus-themed applications that act as spyware. According to the company, over the past month, hackers affiliated with the Syrian regime have used 71 new malicious applications on Android devices by exploiting the Corona virus pandemic. These applications allow the regime’s intelligence services to obtain the user’s geographical location, messages, photos, videos, audio recordings, and contacts.
While some of the malware samples were developed in March, the campaign is part of an espionage effort that has been running since at least January 2018, and appears to target Arabic speakers, Syrians, and those who might criticize the Syrian government.
Kristin Del Rosso, a security research engineer focusing on reverse engineering of Android applications at Lookout, said in a statement to CyberScoop: “If your device is infected and someone is watching you because you are a dissident, a revolutionary, or a journalist, they will now know who you talk to, where you go, and who you meet.”
Del Rosso stated that the campaign is part of the regime’s long-running intelligence operations against the Syrian population, and added, “This ongoing campaign has used a variety of application names, and as is the case with any major political, economic, or health event, the new crisis gives actors something new that can be exploited to infect people with malware.”
One of the applications used in the Syrian campaign, which impersonates an application to measure the user’s body temperature, asks users to obtain permissions to take photos and video clips and edit to delete the contents of the external memory card, but the application, which spreads the AndoServer malware, has other capabilities that can run in the background without users’ awareness.
According to the researchers, the program is able to track the geographical location of users, and is able to run other applications, record audio, extract call logs, text messages, and contact lists, in addition to its ability to call and send text messages to specific contacts.
Some of the spy apps used by hackers never offer any actual uses for victims, Del Russo said. Lookout researchers link this campaign to the Syrian regime because the application command and control servers are located within a block of addresses owned by the Internet service provider (Tarasul) owned by the Syrian Telecommunications Corporation (STE), which in the past provided the infrastructure for the Syrian state-backed hacking group called the Syrian Electronic Army (SEA).
The majority of the malicious apps in the Syrian surveillance campaign use a customized version of commercially available malware called SpyNote, which is consistent with the historical activity of the Syrian Electronic Army (SEA), and evidence suggests that users are obtaining the apps with the malware from unofficial sources, because they are not available on the Google Play Store.
