Security researchers discovered a new threat known as Dardesh that poses as a legitimate app and is currently available on the Google Play Store. The malware instance is described as a chat app and has managed to fool many users into downloading it. When this is done it activates its built-in spy module and starts to survey the victims in real time.
The Spying Dardesh Android App Incident Revealed
Malware researchers discovered that a new threat has been able to penetrate the Google Play Store. It is a ready-made surveillance tool that is masked as a chat application. According to the security specialist it belongs to a specific family of threats called “Desert Scorpion”. The analysis reveals that the main distribution method was a counterfeit Facebook profile that is posting links to it. The hacker or criminal collective behind the attack use the Arabic language in order to link to the threat.
Once it is loaded onto the victim devices a secondary script is executed which is designed to appear as a generic “settings” application. It is started automatically and starts to conduct constant surveillance of the victims. The operators receive the device’s location in real time and they can also also record calls (both audio and video). The Trojan instance has also been found to be able to retrieve information such as stored files, text messages and account credentials. As the Dardesh app has obtained administrative credentials it can also uninstall and modify the installed software.
After the malware report was submitted to Google it has since been taken down by the administrators. The Play Protect security suite has also received patches that contain its signature and can warn users in the future if any duplicate copies are found.
Dardesh Android Malware Intended Targets
The research team that uncovered the Dardesh infections report that the attacks are probably made by a hacking group called APT-C-23. The Desert Scorpion code infected in this particular instance appears to be part of a larger-scale target attack against Middle Eastern individuals. It appears that the main target appear to be Palestine. During the analysis of the malware Facebook profile the team found out that it has been previously to post links to another Android malware that belongs to the Frozen Cell family of threats. It is believed that it is developed by the same criminal collective. The malware servers used by both families use the same IP blocks.
The approach of separating the malware functionality into several components makes it harder to discover by autonomous security software. As the attacks combine both a stage delivery method and social engineering scams.