Mobile Persistent Threat Actor Running Global Espionage Campaign

What is Dark Caracal?

Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor running a global espionage campaign against military personnel, enterprises, medical professionals, lawyers, journalists, educational institutions, and activists.

Dark Caracal has operated a series of multi-platform campaigns starting from at least January 2012, according to our research. The campaigns span across 21+ countries and thousands of victims. Types of data stolen include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.  We believe this actor is operating their campaigns from a building belonging to the Lebanese General Security Directorate (GDGS) in Beirut.

The joint Lookout-EFF investigation began after EFF released its Operation Manul report, highlighting a multi-platform espionage campaign. After investigating related infrastructure and connections to Operation Manul, the Lookout Security Intelligence team concluded that the threat actor also executed a widespread mobile APT campaign on a global scale.

We call this Android malware component "Pallas." Pallas is the first mobile advanced persistent threat (mAPT) we've seen deployed on a global scale. We believe the actors would use Pallas against any target a nation state would otherwise attack, including governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors.

All Lookout customers are protected from this threat. Lookout researchers also worked directly with the Google Android Security Team to address the Android component of this threat within the Android ecosystem. The team was highly responsive and worked to find the malicious apps and protect customers.

"Google has identified the apps associated with this actor, none of the apps were on the Google Play Store. Google Play Protect has been updated to protect user devices from these apps and is in the process of removing them from all affected devices."

‍

How to stay safe

Dark Caracal gets on people's devices through phishing attacks. As always, you should be wary of messages with links in messages, SMS, or emails. These phishing messages are oftentimes well-spoofed, so if you're wondering whether a friend or colleague has sent you a message with a link or attachment, contact them directly to ask if the message is real. Lastly, having Lookout on the device will protect you from malicious apps by alerting you any time a bad app is downloaded to your device. Enterprise IT admins will receive the same kind of alert through Lookout Mobile Endpoint Security.