Nation-state Mobile Malware Targets Syrians with COVID-19 LuresDownload Case Study
Lookout researchers have uncovered a long-running surveillance campaign tied to Syrian nation-state actors, which recently started using the novel coronavirus as its newest lure to entice its targets to download malware.
This campaign appears to have been active since the start of January 2018, and targets Arabic-speaking users, likely in Syria and the surrounding region. None of these apps were available on the official Google Play Store, suggesting they were likely distributed through actor-operated watering holes or third-party app stores. Lookout previously reported on another surveillanceware campaign using COVID-19 related lures targeting Libya.
Applications from this surveillance campaign impersonate a variety of applications, with titles such as “Covid19”, “Telegram Covid_19”, “Android Telegram”, and “Threema Arabic” (an end-to-end encrypted messaging application), as well as a phone signal booster and OfficeSuite application. Package names also allude to Syrian targeting, with names such as “com.syria.tel”, “syria.tel.ctu”, and “com.syriatel.ctu”.
Lookout researchers found 71 malicious Android applications connected to the same command-and-control (C2) server. The IP address of the C2 server is located in a block of addresses held by Tarassul Internet Service Provider, an ISP owned by – and sharing network infrastructure with – the Syrian Telecommunications Establishment (STE) (Freedom House, 2018). STE has a history of hosting infrastructure for the Syrian Electronic Army (SEA), a Syrian state-sponsored hacking group. Notably, the C2 servers of SilverHawk, an Android malware family previously reported on by Lookout researchers, were located on IP addresses belonging to STE.
Not all applications in this campaign were completely scrubbed of sensitive information when they were created. A large portion of the malicious applications are SpyNote samples, which store C2 information, along with user inputted names, version numbers, and other information, in res/values/strings.xml. In the strings.xml files of these applications, 22 APKs reference “Allosh”, a name previously used in connection with a known Syrian Electronic Army persona.
Previous strings appearing in other malware associated with the Syrian Electronic Army contain this name, such as “c:\users\allosh hacker\documents\visual studio 2012\Projects\allosh\allosh\obj\Debug\Windows.pdb” mentioned in reporting by Citizen Lab on the SEA malicious repackaging of the Psiphon 3 circumvention tool, and “c:\Users\Allosh Hacker\Desktop\Application\obj\Debug\Clean Application.pdb” from pdb paths discovered in binaries associated with SilverHawk infrastructure.
Screenshot of a strings.xml file, and all unique personas discovered in this campaign.
The Syrian Electronic Army has been active recently, with one of their Twitter accounts claiming responsibility this month for DDoS attacks against Belgian media, as well as defacing PayPal and eBay websites as recently as April 7, 2020.
Two of the most recent claims by @Official_SEA7, one of the Syrian Electronic Army’s multiple Twitter accounts which has been active since 2013.
Syrian authorities are known to heavily censor their country’s internet, with Syria ranking 174th on Reporters Without Borders 2019 World Press Freedom Index. In addition, according to the 2018 Freedom of the Net Report published by Freedom House, an NGO which conducts research and advocacy on democracy, political freedom, and human rights, “In areas controlled by the government, the Syrian Telecommunications Establishment (STE) serves as both an ISP and the telecommunications regulator, providing the government with tight control over the internet Infrastructure. Furthermore, private fixed-line and mobile ISPs are required to sign a memorandum of understanding to connect to the international internet via gateways controlled by the Syrian Information Organization (SIO)” (Freedom on the Net 2018).
After installation, the original Covid19 application hides its icon and only displays the newly installed Degree Measure application.
The newly installed application (com.finger.body.temperature.ap) is a benign prank - a fake digital thermometer that serves as a decoy. Meanwhile the malware continues to operate in the background.
The user holds down on the screen on the fingerprint and is informed that their body temperature is 35°C.
Some AndoServer samples are purely surveillanceware that do not even pretend to be anything else, while others, like this sample here, contain legitimate applications inside the malware, with the benign APK hidden in the res/raw folder.
AndoServer samples receive commands, and are capable of:
- Taking a screenshot
- Getting battery levels and if the device is plugged in
- Reporting location (latitude and longitude)
- Getting a list of installed applications
- Launching an application specified by the malicious actor
- Checking the number of cameras on a device
- Choosing a specific camera to access
- Creating a specific pop-up message (toast)
- Recording audio
- Creating a file on external storage
- Exfiltrating call logs
- Listing files contained in a specified directory
- Calling a phone number
- Exfiltrating SMS messages
- Sending SMS to a phone number
- Exfiltrating the contact list
- Playing a ringtone and then sleeping
AndoServer malware has its C2 domain or IP address hard coded into the source code. Each sample also has its own unique identifier string at the start of its communication with C2 servers, that appears to be for the actor to monitor which application in their arsenal is responsible for the compromise, as they can see the unique application installed by the specific victim. While not always the case, some unique identifiers are similar to the name of the C2 domain, while other times they refer to the title of the application, highlighting another level of customization of this malware.
Prevalence of commercial surveillanceware
Of the malicious applications in this campaign, 64 of 71 are SpyNote samples, a well known commercial surveillanceware family. The remainder belong to the SandroRat, AndoServer, and SLRat families, of which the latter two have not yet been publicly reported on.
SLRat appears to have gained popularity since its developer first publicized it in May 2016, advertising it as “the Best and Free android remote admin tool”, while AndoServer has not yet been seen for sale or mentioned on public forums. Based on samples ingested to date however, Lookout researchers believe it is also a customizable Android malware that may be for sale, or only known about and used by a smaller group of operators.
Given Syria’s history of censorship and past mobile and desktop surveillance campaigns, it should come as no surprise that another campaign is active. SilverHawk actors initially entered the mobile malware space using the commercial Android surveillanceware AndroRat, before customizing it and then developing their own mobile tooling. It is in line with known TTPs that a new commercial or public spy tool might have been adopted and used by this actor as part of new surveillance efforts, and there are likely more to be discovered.
Lookout has been ingesting samples from the AndoServer and SJRat families since 2016, and has seen a spike in activity towards the end of 2019.
IOCs (SHA1 hashes of the malicious apps):