Facebook says cyber spies are using fake WhatsApp and Signal apps to spy on thousands of people
Hackers used malware capable of accessing call logs, text messages, and a device’s camera and microphone.
According to a new report from Facebook, a cyber espionage group suspected of operating out of India and Pakistan is spying on thousands of people using malware posing as popular secure messaging apps.
The report details the efforts of a group known as Bitter APT who installed malware on Android devices via fake versions of the encrypted messaging apps WhatsApp, Signal and Telegram, which gained popularity among Ukrainians in as a tool for communicating information about the Russian invasion. (APT stands for Advanced Persistent Threat and is a designation usually given to state-sponsored hacking groups). Dubbed “Dracarys”, a name found in the malware code and a possible reference to game of thrones, Facebook claims that the malware can siphon all kinds of information from an Android device, including call logs, contacts, files, text messages and geolocation data. It can also access a device’s camera and microphone.
Dracarys has been spread on social media sites Meta, Facebook and Instagram, by hackers posing as attractive young women, journalists or activists, who convince their targets to download the fake app. Once they do, Dracarys abuses accessibility features intended to help users with disabilities automatically click and grant broad device permissions such as the ability to access the camera.
According to Facebook, this trick meant that the malware could collect data from the phone and appear to be legitimate, which meant that anti-virus systems did not detect it. “This shows that Bitter has successfully reimplemented common malicious functionality in a way that has gone undetected by the security community for some time,” Facebook wrote in its report.
Previously, Forbes the report found links between Bitter APT and the Indian government, after the group acquired Microsoft Windows hacking tools from an American company. The Meta-owned social media giant did not say if it believed Bitter APT was of Indian origin, but noted that it operates from South Asia, targeting people in New Zealand, India , Pakistan and the United Kingdom. Cisco’s Talos cybersecurity research division recently said the group has been carrying out attacks since 2013 against energy, engineering and government entities in China, Pakistan and Saudi Arabia.
Android may not have been Bitter APT’s only target. Facebook also saw the group’s fake personas handing out links to downloads of an iPhone chat app. The hackers tried to convince the targets to download Apple’s Testflight service for developers to test the apps and then install the chat app. By using Testflight, hackers didn’t have to rely on sophisticated technical hacking of the iPhone, only their social engineering skills. Facebook was unable to determine whether this software actually contained malicious code, but theorized “that it could have been used for additional social engineering on an attacker-controlled chat medium.” The company reported its findings to Apple.
Neither Apple nor Google had provided comment at the time of publication.
On Thursday, Facebook also announced action against a Pakistan-based government hacking unit known as APT36. He was also creating Android spy tools masquerading as apps such as WhatsApp, Chinese social network WeChat and YouTube. This malware was actually a modified version of a popular Android tool known as XploitSPY, “originally developed by a group of self-declared ethical hackers in India”. It was also able to spy on contacts, call lists and listen to victims through the device’s microphone. APT36 had been spotted targeting people in Afghanistan, India, Pakistan, the United Arab Emirates and Saudi Arabia, “including military personnel, government officials, employees of human rights organizations ‘man and other non-profit organizations, as well as students’.
Mike Dvilyanski, head of cyber espionage investigations at Facebook, said Meta has identified 10,000 users in at least nine countries who may have been targeted by APT36 and Bitter APT and is warning users directly on Facebook and Instagram. “If we think you might have come into contact with one of these groups, we want to alert you and we want to tell you about the tools you can use to secure your online presence,” he said. Forbes.
Neither the Pakistani nor Indian embassies in London had responded to requests for comment at the time of publication.