A newly uncovered cyber-espionage campaign targets Android users in the Middle East and North Africa through the chat app Telegram and compromised websites, according to a report published Thursday by Kaspersky Lab.
Kaspersky says it identified four different iterations of “ZooPark,” malware apparently developed between 2015 and 2017, each one expanding on the previous. The latest version has the capability to exfiltrate a wide range of data, including contacts, GPS location, text messages, call audio, keylogs and others. The malware can also take pictures, video and screenshots as well as record audio.
“This last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware,” the report says. “This suggests the latest version may have been bought from vendors of specialist surveillance tools.”
The campaign spreads spyware focusing on victims in Iran, Morocco, Egypt, Jordan and Lebanon, the report says.
One of the vectors by which the ZooPark malware is spread is the secure chat app Telegram. The report says Kaspersky identified Telegram channels in which attackers spread malicious links. In one channel active in 2015 and 2016, the links were for a fake voting app for Kurdistan, a province in Iran.
Iran this week blocked Telegram in the country, citing concerns that terrorists were using it to stay hidden from authorities.
The other attack vector that Kaspersky points out is the use of “watering holes,” whereby attackers compromise popular websites to make them download malware onto unknowing victims’ devices.
The report presents examples of several popular Arabic news websites that had been co-opted as watering holes for the ZooPark hackers.
Kaspersky malware analyst Alexey Firsh told CyberScoop in an email that fewer than 100 targets had been observed.
“This and other clues indicates that the targets are specifically selected,” Firsh said.
Kaspersky provides little other insight as to who the targeted victims are, but says in a press release that the campaign appears to be backed by a nation-state.
“More and more people use their mobile devices as a primary – or sometimes even only – communication device. That is certainly being spotted by nation-state sponsored actors, who are building their toolsets so they will be efficient enough to track mobile users,” Firsh says in the release. “The ZooPark APT, actively spying on targets in Middle Eastern countries, is one such example, but it is certainly not the only one.”