Mystery deepens over Android spyware targeting Israeli soldiers

Hackers are continuing to target Israeli Defence Force (IDF) personnel with Android spyware but doubts have emerged that Hamas is behind the cyber-spying operation.

ViperRAT has been specifically designed to exfiltrate information of high value from compromised devices. "Many of these samples are still active and are continuing to covertly copy files of interest from infected devices to attack controlled servers", mobile security firm Lookout reports.

Initial reports had suggested IDF personnel had been compromised by social engineering — being lured into entering communications with third parties (posing as young women) through apps such as SR Chat and YeeCall Pro. ViperRAT has also surfaced in a billiards game, an Israeli Love Songs player, and a Move To iOS app.

A popular early theory was that Hamas was behind the malfeasance. Researchers at Lookout have come to doubt that theory.

"Strings found during source code analysis, as well as the overall sophistication of ViperRAT, suggest it is unlikely that Hamas is responsible for it," according to Lookout. "Research indicates the actor behind it has a well-developed cyber-capability, an active interest in the Middle East region, and likely previously released a non-malicious application to the Google Play Store that is currently still live."

ViperRAT comes in a couple of forms. One is a malicious application the victim is tricked into installing. Typically, someone pretending to be a hot young woman on the internet sends a link to a mark and persuades them to click on it and install the Trojanized app. This malware performs basic profiling of a device, and under certain conditions attempts to download and install a much more comprehensive surveillance component – the second ViperRAT variant.

This second variant is responsible for intelligence gathering and retrieving a broad range of data from compromised devices including locations, web histories, audio clips from calls, text messages and more. The attackers are also hijacking the device camera to take pictures, say the researchers.

"Based on trade craft, modular structure of code and use of cryptographic protocols [AES and RSA encryption] the actor appears to be quite sophisticated," Lookout concludes.

Further research on the same campaign by Kaspersky Lab can be found here. ®