Facebook says cyber spies are using fake WhatsApp and Signal apps to snoop on thousands
The hackers used malware that could access call logs, text messages and a device’s camera and microphone.
An online espionage group believed to be operating out of India and Pakistan has spied on thousands of people using malware masquerading as popular secure messaging apps, according to a new report from Facebook.
The report details the efforts of a group known as Bitter APT, which has installed malware on Android devices via fake versions of encrypted messaging apps WhatsApp, Signal and Telegram, which have grown in popularity among Ukrainians as a tool to communicate information about the Russian. invasion (APT stands for “Advanced Persistent Threat” and is a designation usually given to state-sponsored hacker groups). Called “Dracarys”, a name found in the malware code and a possible reference to Game of Thrones, Facebook says the malware can remove all kinds of information from an Android device, including call logs, contacts, files, text messages and geolocation data. It can also access a device’s camera and microphone.
Dracarys has been propagated on Meta’s social media, Facebook and Instagram, by hackers posing as attractive young women, journalists or activists, who convince their targets to download the fake app. Once they do, Dracarys abuses the accessibility features meant to help users with disabilities automatically click through and grant broad device permissions, such as the ability to access the camera.
According to Facebook, the trick meant the malware could harvest data on the phone and appear legitimate, meaning anti-virus systems failed to detect it. “It shows that Bitter has managed to reimplement common malicious functionality in a way that was not discovered by the security community for some time,” Facebook wrote in its report.
Previously, Forbes reporting found links between Bitter APT and the Indian government, after the group acquired a US company’s Microsoft Windows hacking tool. The Meta-owned social media giant would not say whether it believed the Bitter APT was of Indian origin, but noted that it operated from South Asia, targeting people in New Zealand, India, Pakistan and the UK. Cisco’s Talos cybersecurity research division recently said the group has been running attacks since 2013 on energy, engineering and government entities in China, Pakistan and Saudi Arabia.
Android may not have been Bitter APT’s only target. Facebook also saw the group’s fake personas distributing links to downloads of an iPhone chat application. The hackers tried to convince targets to download Apple’s Testflight service for developers to test apps and then install the chat app. Using Testflight, the hackers didn’t have to rely on a sophisticated technical iPhone hack, just their social engineering skills. Facebook was unable to determine whether this software actually contained malicious code, but theorized that “it may have been used for further social development on an attacker-controlled chat medium.” The company reported its findings to Apple.
Apple had not commented at the time of publication.
A Google spokesperson said: “Android malware was not uploaded and distributed through the Play Store. All distribution domains have been blocked in Google Safe Browsing, and Android users who have installed these packages will receive a warning on their device.”
On Thursday, Facebook also announced action against a Pakistan-based state hacking unit known as APT36. It also created Android spy tools that were released as apps, including WhatsApp, the Chinese social network WeChat and YouTube. This malware was actually a modified version of a well-known Android tool known as XploitSPY, “originally developed by a group of self-reported ethical hackers in India.” It was also able to snoop on contacts, call lists and listen to victims via the device’s microphone. APT36 had been seen targeting people in Afghanistan, India, Pakistan, the UAE and Saudi Arabia, “including military personnel, government officials, staff of human rights and other non-profit organizations, and students.”
Mike Dvilyanski, Facebook’s head of cyber espionage investigations, said Meta has identified 10,000 users in at least nine countries who may have been targeted by APT36 and Bitter APT and is in the process of warning users directly over Facebook and Instagram. “If we believe you may have come into contact with any of these groups, we want to notify you and we will tell you the tools you can use to secure your online presence,” he said Forbes.
Neither the Pakistani nor the Indian embassy in London had responded to requests for comment at the time of publication.