ViperRAT is an active, advanced persistent threat (APT) that sophisticated threat actors are actively using to target and spy on the Israeli Defense Force. The threat actors behind the ViperRAT surveillanceware collect a significant amount of sensitive information off of the device, and seem most interested in exfiltrating images and audio content. The attackers are also hijacking the device camera to take pictures.
Using data collected from the Lookout global sensor network, the Lookout research team was able to gain unique visibility into the ViperRAT malware, including 11 new, unreported applications. We also discovered and analyzed live, misconfigured malicious command and control servers (C2), from which we were able to identify how the attacker gets new, infected apps to secretly install and the types of activities they are monitoring. In addition, we uncovered the IMEIs of the targeted individuals (IMEIs will not be shared publicly for the privacy and safety of the victims) as well as the types of exfiltrated content.
In aggregate, the type of information stolen could let an attacker know where a person is, with whom they are associated (including contacts’ profile photos), the messages they are sending, the websites they visit and search history, screenshots that reveal data from other apps on the device, the conversations they have in the presence of the device, and a myriad of images including anything at which device’s camera is pointed.
Lookout has determined ViperRAT is a very sophisticated threat that adds to the mounting evidence that targeted mobile attacks against governments and business is a real problem.
Lookout researchers have been tracking this threat for the last month. Given that this is an active threat, we’ve been working behind-the-scenes with our customers to ensure both personal and enterprise customers are protected from this threat and only decided to come forward with this information after the research team at Kaspersky released a report earlier today.
Additionally, we have determined that though original reports of this story attribute this surveillanceware tool to Hamas, this may not be the case, as we demonstrate below.
The structure of the surveillanceware indicates it is very sophisticated. Analysis indicates there are currently two distinct variants of ViperRAT. The first variant is a “first stage application,” that performs basic profiling of a device, and under certain conditions attempts to download and install a much more comprehensive surveillanceware component, which is the second variant.
The first variant involves social engineering the target into downloading a trojanized app. Previous reports alleged this surveillanceware tool was deployed using ‘honey traps’ where the actor behind it would reach out to targets via fake social media profiles of young women. After building an initial rapport with targets, the actors behind these social media accounts would instruct victims to install an additional app for easier communication. Specifically, Lookout determined these were trojanized versions of the apps SR Chat and YeeCall Pro. We also uncovered ViperRAT in a billiards game, an Israeli Love Songs player, and a Move To iOS app.
The second stage apps contain the surveillanceware capabilities. Lookout uncovered nine secondary payload applications:
* These apps have not been previously reported and were discovered using data from the Lookout global sensor network, which collects app and device information from over 100 million sensors to provide researchers and customers with a holistic look at the mobile threat ecosystem today.
Naming additional payload applications as system updates is a clever technique used by malware authors to trick victims into believing a threat isn’t present on their device. ViperRAT takes this one step further by using its dropper app to identify an appropriate second stage ‘update’ that may go unnoticed. For example, if a victim has Viber on their device, it will choose to retrieve the Viber Update second stage. If he doesn’t have Viber, the generically-named System Updates app gets downloaded and installed instead.
The actors behind ViperRAT seem to be particularly interested in image data. We were able to identify that 8,929 files had been exfiltrated from compromised devices and that the overwhelming majority of these, 97 percent, were highly likely encrypted images taken using the device camera. We also observed automatically generated files on the C2, indicating the actor behind this campaign also issues commands to search for and exfiltrate PDF and Office documents. This should be highly alarming to any government agency or enterprise.
ViperRAT samples are capable of communicating to C2 servers through an exposed API as well as websockets. Below is a collection of API methods and a brief description around their purpose.
Media reporting on ViperRAT thus far attributes this surveillanceware tool to Hamas. Israeli media published the first reports about the social networking and social engineering aspects of this campaign. However it’s unclear whether organizations that later reported on ViperRAT performed their own independent research or simply based their content on the original Israeli report. Hamas is not widely known for having a sophisticated mobile capability, which makes it unlikely they are directly responsible for ViperRAT.
ViperRAT has been operational for quite some time, with what appears to be a test application that surfaced in late 2015. Many of the default strings in this application are in Arabic, including the name. It is unclear whether this means early samples were targeting Arabic speakers or if the developers behind it are fluent in Arabic.
This leads us to believe this is another actor.
All Lookout customers are protected from this threat. However, the existence of threats like ViperRAT and Pegasus, the most sophisticated piece of mobile surveillanceware we’ve seen to date, are evidence that attackers are targeting mobile devices.
Mobile devices are at the frontier of cyber espionage, and other criminal motives. Enterprise and government employees all use these devices in their day-to-day work, which means IT and security leaders within these organizations must prioritize mobile in their security strategies.
Interested in learning more about threats like ViperRAT? Contact Lookout today to get details about our Threat Advisory Service and Lookout Mobile Endpoint Security.
September 20, 2023
Lookout identified and analyzed an Android application sample of Deblind — a component of the Infamous Chisel Android surveillance tooling.
July 19, 2023
January 3, 2023