January 18, 2018

Mobile Persistent Threat Actor Running Global Espionage Campaign

Lebanon flag with lebanon city in the background.
Platform(s) Affected
Threat Type
Entry Type
Threat Summary
Platform(s) Affected
Threat Summary

What is Dark Caracal?

Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor running a global espionage campaign against military personnel, enterprises, medical professionals, lawyers, journalists, educational institutions, and activists.

Dark Caracal has operated a series of multi-platform campaigns starting from at least January 2012, according to our research. The campaigns span across 21+ countries and thousands of victims. Types of data stolen include documents, call records, audio recordings, secure messaging client content, contact information, text messages, photos, and account data.  We believe this actor is operating their campaigns from a building belonging to the Lebanese General Security Directorate (GDGS) in Beirut.

The joint Lookout-EFF investigation began after EFF released its Operation Manul report, highlighting a multi-platform espionage campaign. After investigating related infrastructure and connections to Operation Manul, the Lookout Security Intelligence team concluded that the threat actor also executed a widespread mobile APT campaign on a global scale.

We call this Android malware component "Pallas." Pallas is the first mobile advanced persistent threat (mAPT) we've seen deployed on a global scale. We believe the actors would use Pallas against any target a nation state would otherwise attack, including governments, militaries, utilities, financial institutions, manufacturing companies, and defense contractors.

All Lookout customers are protected from this threat. Lookout researchers also worked directly with the Google Android Security Team to address the Android component of this threat within the Android ecosystem. The team was highly responsive and worked to find the malicious apps and protect customers.

"Google has identified the apps associated with this actor, none of the apps were on the Google Play Store. Google Play Protect has been updated to protect user devices from these apps and is in the process of removing them from all affected devices."

How to stay safe

Dark Caracal gets on people's devices through phishing attacks. As always, you should be wary of messages with links in messages, SMS, or emails. These phishing messages are oftentimes well-spoofed, so if you're wondering whether a friend or colleague has sent you a message with a link or attachment, contact them directly to ask if the message is real. Lastly, having Lookout on the device will protect you from malicious apps by alerting you any time a bad app is downloaded to your device. Enterprise IT admins will receive the same kind of alert through Lookout Mobile Endpoint Security.

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats


September 19, 2023


Google released a patch for a new zero-day vulnerability in Chrome tracked as CVE-2023-4863, which CISA also listed in their database.

September 18, 2023

ASPL 2023-09-01 / CVE-2023-35674

September 20, 2023

Deblind Analyzed: Lookout Identifies and Dissects Android App Used by Russian Sandworm APT's Infamous Chisel Spyware Tooling