Cybersecurity researchers are warning about an ongoing Android malware campaign that has been active since 2016 and was first publicly reported in August 2018.
Dubbed “ViceLeaker” by researchers at Kaspersky, the campaign has recently been found targeting Israeli citizens and some other middle eastern countries with a powerful surveillance malware designed to steal almost all accessible information, including call recordings, text messages, photos, videos, and location data—all without users’ knowledge.
Besides these traditional spying functionalities, the malware also has backdoor capabilities including upload, download, and delete files, record surrounding audio, takeover camera, and make calls or send messages to specific numbers.
The malware used in these campaigns was named “Triout” in a report published by Bitdefender in 2018, which is sort of a malware framework that attackers are using to turn legitimate applications into spyware by injecting an additional malicious payload into them.
In a new report published today, Kaspersky Lab revealed that attackers are actively using the Baksmali tool to disassemble and then reassemble the code of a legitimate app after injecting their malicious code in it—a technique commonly known as Smali injection.
“Based on our detection statistics, the main infection vector is the spread of Trojanized applications directly to victims via Telegram and WhatsApp messengers,” the researchers said.
Besides this, researchers also found that the code used in the malware to parse commands from the command-and-control server resembles with modified versions of an open source XMPP/Jabber client for the Android platform called “Conversations.”
“In addition, we did not see traces of the Smali injection [in the modified Conversations app],” Kaspersky researchers explained, but “found traces of dx/dexmerge compilers, which means that, this time, the attackers just imported the original source code into an Android IDE (such as Android Studio, for instance) and compiled it with their own modifications.”
However, those modified versions of Conversations app do not contain any malicious code but appear to be used by the same group of attackers for some yet-undiscovered purpose.
“This brought to us the hypothesis that this might be the version used by the group behind ViceLeaker for internal communication or for other, unclear purposes. All the detection of this backdoored app were geolocated in Iran,” researchers said.
According to the researchers, the ViceLeaker attack campaign is still ongoing, and attackers could potentially distribute malicious repackaged versions of legitimate apps through third-party app stores, instant messengers, or attacker-controlled online webpages.
Since such apps masquerade as legitimate or popular apps, Android users are highly recommended to always download apps from trusted sources, like Google Play Store, to prevent themselves from becoming a victim to this attack.
However, you should also not trust every app available on the Play Store. So, always stick to only verified developers to avoid installing malicious apps.