1

Increased use of Android Malware targeting Journalist

In recent weeks, Iranian groups have increased their use of Android malware in order to compromise foreign journalists and political activists focused on the country. These incidents have involved the use of fictitious personas and compromised accounts in order to turn on others. Alongside Android malware, the group uses a familiar tactic of sending fake login pages for Facebook, Google, Yahoo and Microsoft in order to obtain account credentials through phishing. Finally, while two-factor authentication (2FA) remains a critical resource to protect accounts, an observed compromised further highlights the need to move away from using the text message method onto Google Authenticator.

INCIDENT AND IMPACT

On August 20, 2016, the Facebook account of a political activist based in Europe was compromised through an impersonation login page sent by an individual that had claimed to be a past acquaintance.

Once the intruders had access to the Facebook account, they posed as that individual in order to start conversations with his social network, particularly journalists within the Persian-language media community that would be familiar with his work. This is a common tactic that Claudio Guarnieri and Collin Anderson have documented in several incidents, posing as a trusted person with a breached account to attack their personal network. In one conversation, the intruder asked a journalist for their private contact information and sent what they claimed were “important documents” that needed to be reported.

In reality, the link sent to the new target was an impersonation login page for Google Drive – a phishing attempt intended to deceive them into entering their username and password. These pages are often hosted on domains that appear to be connected to Google or Facebook and appear official through jargon (such as “verifyuser-login-account.com”). These pages also may support a secure web connection (HTTPS) in order to appear legitimate and in thwart previous advice on spotting fakes. From other experiences, in the event that the deception is not successful, the attackers will commonly increase the pressure on targets to open the document or turn to threats in order to force cooperation. One compromised, the attacker creates an offline backup of emails to ensure that an archive of their contacts and communications is still available if they are locked out of an account.

While one target had enabled two-factor authentication (2FA) through text message, the attackers were able to handle this through asking for the codes from the user. Iranian groups have long adapted their strategies to confront the use of this security mechanism, and now include an extra step to obtain the two-factor code where it is enabled. The problem, in this case, is that the codes sent via text message are valid for longer periods of time. This longer lifespan provides the attacker enough time to ask the user for the real code that is sent from Google and then enters it themselves. This is addressed further in Recommendations.

Importantly, the attackers have also sent Android application files (APKs) to recent targets. This incident represents a growing trend in the use of Android malware in targeting activists and journalists over recent months. In other encounters, the Android malware posed as the messaging applications such as IMO. Claudio Guarnieri and Collin Anderson  have witnessed cases where these clients were sent claiming to be secure chat software. International Campaign for Human Rights in Iran has also indicated that attackers have posed as an “old friend” on other messaging services and encouraged them to install the malware client to continue the conversation. In other cases, the found picture of the target strangely embedded in the icon of malware.

No matter the social engineering strategy, the Android applications sent to targets were remote access tools (RATs) that would provide full access to a victim’s phone for an attacker in Iran. On installation, these applications would appear as “private chat” or “com_google_sevices” (sic), and quietly record the device’s activities in the background. This software requests all permissions on the phone, and then persistently collects and monitors text messages, emails, photos, microphone, location and other private information. The use of Android malware is effective because of the popularity of the platform, and mobile devices overall, in Iran. Sanctions and other restrictions have also led to more Iranian users installing applications from non-official sources, decreasing the security of their devices.

In the incidents in question, the Android malware used was the “DroidJack” agent, a RAT frequently found in other criminal activities. The fake IMO client is the Meterpreter agent developed for the open source platform Metasploit and it was used in malicious documents. This is also not the first time that Iranian actors have been observed using mobile malware, and Citizen Lab has documented the use of the same DroidJack RAT against Syrian dissidents by unknown actors believed to be based in Iran. A full description of the capabilities of the Android malware is not in scope for this notice, as Citizen Lab and Symantec have extensively described the agent in question.

Claudio Guarnieri and Collin Anderson have find indication of another Android RAT named KrakenAgent, which is a full-featured malware. While the tactics found in the KrakenAgent malware attempts have been directed against activists, it’s targeting appears to be global in scope. The task list of the malware describes an ambition to fully control the phone and monitor all aspects of the use of their device.

“Call Number”, “Capture Audio”, “Capture Picture”, “Capture Video”, “Delete Contact”, “Delete File”, “Delete Recent Call Log”, “Delete SMS”, “Disable Agent”, “Get Application List”, “Get Bluetooth List”, “Get Browser History”, “Get Chrome Credential Store”, “Get Contact List”, “Get Current Cell Info”, “Get Default Browser Credential Store”, “Get Device Info”, “Get Directory Listing”, “Get File”, “Get Location”, “Get Neighbouring Cell List”, “Get Recent Call Log”, “Get SMS”, “Get Skype Database”, “Get Viber Database”, “Get WhatsApp Database”, “Get WiFi List”, “Open URL In Browser”, “Record Call”, “Send SMS”, “Send USSD”, “Volume Change”

Notable actions with KrakenAgent include copying the username and passwords stored on the phone, stealing messages (Skype, Viber, SMS and WhatsApp), and using the phone as an eavesdropping device.

RECOMMENDATIONS

The incident is indicative of common trends in the tactics used by Iranian groups to target interests inside of the country and in the diaspora. While the intent of this disclosure is not to provide a full digital security lesson, there are simple changes to settings and behaviors that can reduce the effectiveness of these attacks.

USE AN  ALTERNATIVE TWO FACTOR AUTHENTICATION (2FA) METHOD THAN TEXT MESSAGE

The codes provided by text message are valid for a longer amount of time compared to other the application method, which presents social engineering opportunities for attackers. Text message codes are also considered unsafe due to security issues with mobile networks, and so their use is increasingly discouraged where a better replacement is possible. Google and other platforms provide methods of generating codes that are similar to text messages, and may be easier to use, such as Google Authenticator or a Yubikey.

As an example, please see Google’s help page on Authenticator.

EXERCISE CAUTION WITH DOCUMENTS AND LINKS

Be cautious when people offer documents over social networks, and consider confirming that you are speaking with the right person over the phone. Researchers have witnessed in many cases where people realized they were being targeted when the person they were supposedly speaking to couldn’t talk claiming they lost their voice. Be suspicious when someone is asking for a code from you – this could be a login or password reset code sent from your service provider to gain access to your accounts.

In general, take an extra moment to consider the situation when someone claims to be sending a “secure” document or anything that requires sending them a “code.”

CHECK WHAT YOU ARE TYPING YOUR PASSWORD INTO

Impersonation sites often have Google or Facebook in the name, but still are not the service in question and are instead malicious (e.g. “privacy-google.com”). Anytime that a site asks for your username and password, be alert and pause. Why is it asking for your information? How did you get to this page? Are you still logged into your account elsewhere?

DO NOT INSTALL .APK FILES FROM UNTRUSTED SOURCES

Do not install Android applications and run executable files (.EXE or .SCR) from unknown sources, including from friends or untrusted websites. Be especially sensitive if the application that is being installed requests permission for private data and features like the microphone.

Do not allow applications from “Unknown Sources” to be installed.

INDICATORS OF COMPROMISE

  Filename
  SHA256
  MD5
  imo.apk
  85899e8270a7f1795189e67625a33098b8264bbd5c79d2800246aa69f89e8ee4
  8b2ad85b8b5c835777664f240f2065e6
  [target name].apk
  d128d2177c65a24cc2938193b6b45e927679a367c7ba1d408baca734aef3e23f
  40e09e28551080f4ebdba54ff15e81a5
  [krakenagent].apk
  e2694da3a053c434d0265be78525cf43babd95efb2660446eddc7cdfda51f468
  3101082d0277e6de030da7a9b813dc93

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *