January 18, 2018

Mobile Persistent Threat Actor Running Global Espionage Campaign

Lebanon flag with lebanon city in the background.

What is Dark Caracal?

Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor running a global espionage campaign against military personnel, enterprises, medical professionals, lawyers, journalists, educational institutions, and activists.

Dark Caracal has operated a series of multi-platform campaigns starting from at least January 2012, according to our research. The campaigns span across 21+ countries and thousands of victims. Types of data stolen include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.  We believe this actor is operating their campaigns from a building belonging to the Lebanese General Security Directorate (GDGS) in Beirut.

The joint Lookout-EFF investigation began after EFF released its Operation Manul report, highlighting a multi-platform espionage campaign. After investigating related infrastructure and connections to Operation Manul, the Lookout Security Intelligence team concluded that the threat actor also executed a widespread mobile APT campaign on a global scale.

We call this Android malware component "Pallas." Pallas is the first mobile advanced persistent threat (mAPT) we've seen deployed on a global scale. We believe the actors would use Pallas against any target a nation state would otherwise attack, including governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors.

All Lookout customers are protected from this threat. Lookout researchers also worked directly with the Google Android Security Team to address the Android component of this threat within the Android ecosystem. The team was highly responsive and worked to find the malicious apps and protect customers.

"Google has identified the apps associated with this actor, none of the apps were on the Google Play Store. Google Play Protect has been updated to protect user devices from these apps and is in the process of removing them from all affected devices."

How to stay safe

Dark Caracal gets on people's devices through phishing attacks. As always, you should be wary of messages with links in messages, SMS, or emails. These phishing messages are oftentimes well-spoofed, so if you're wondering whether a friend or colleague has sent you a message with a link or attachment, contact them directly to ask if the message is real. Lastly, having Lookout on the device will protect you from malicious apps by alerting you any time a bad app is downloaded to your device. Enterprise IT admins will receive the same kind of alert through Lookout Mobile Endpoint Security.

Authors

Mike Murray

Chief Security Officer

Mike Murray is the Chief Security Officer at Lookout. For nearly two decades, Mike has focused on high-end security research, first as a researcher and penetration tester and then building and leading teams of highly skilled security professionals. He previously lead Product Development Security at GE Healthcare, where he built a global team to secure the Healthcare Internet of Things. Prior to that, he co-founded The Hacker Academy and MAD Security, and has held leadership positions at companies including nCircle Network Security, Liberty Mutual Insurance and Neohapsis.

Platform(s) Affected
Android
Threat Type
Malware
Entry Type
Threat Summary
Platform(s) Affected
Android
Malware
Threat Summary

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell