| Researchers April 16, 2018


April 16, 2018

Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East

By Andrew Blaich, Michael Flossman

Lookout researchers have identified a new, highly targeted surveillanceware family known as Desert Scorpion in the Google Play Store. Lookout notified Google of the finding and Google removed the app immediately while also taking action on it in Google Play Protect. The app ties together two malware families - Desert Scorpion and another targeted surveillanceware family named FrozenCell - that we believe are being developed by a single, evolving surveillanceware actor called APT-C-23 targeting individuals in the Middle East.

We've seen this actor rely heavily on phishing campaigns to trick victims into downloading their malicious apps, specifically on Facebook. Even sophisticated actors are using lower cost, less technologically impressive means like phishing to spread their malware because it's cheap and very effective, especially on mobile devices where there are more ways to interact with a victim (messaging apps, social media apps, etc.), and less screen real estate for victims to identify potential indicators of a threat.

Lookout customers are protected against this threat and additionally we have included a list of IOCs at the end of this report. 

Dardesh App Google Play

Dardesh App Google Play

The Dardesh app associated with Desert Scorpion.

The potential actor and who they target

Our current analysis strongly suggests Desert Scorpion is being deployed in targeted attacks against Middle Eastern individuals of interest specifically those in Palestine and has also been highlighted by other researchers. We have been able to tie the malware to a long-running Facebook profile that we observed promoting the first stage of this family, a malicious chat application called Dardesh via links to Google Play. The Lookout Threat Intelligence team identified that this same Facebook profile has also posted Google Drive links to Android malware belonging to the FrozenCell family attributed to APT-C-27. These factors, in combination with the fact that the command and control infrastructure used by Frozen Cell and Desert Scorpion resides in similar IP blocks, supports the theory that the same actor is responsible for operating, if not developing, both families.

Facebook page

Facebook page

What it does

The surveillance functionality of Desert Scorpion resides in a second stage payload that can only be downloaded if the victim has downloaded, installed, and interacted with the first-stage chat application. The chat application acts as a dropper for this second-stage payload app. At the time of writing Lookout has observed two updates to the Dardesh application, the first on February 26 and the second on March 28. The malicious capabilities observed in the second stage include the following:

  • Upload attacker-specified files to C2 servers

  • Get list of installed applications
  • Get device metadata
  • Inspect itself to get a list of launchable activities
  • Retrieves PDF, txt, doc, xls, xlsx, ppt, pptx files found on external storage
  • Send SMS
  • Retrieve text messages
  • Track device location
  • Handle limited attacker commands via out of band text messages
  • Record surrounding audio
  • Record calls
  • Record video
  • Retrieve account information such as email addresses
  • Retrieve contacts
  • Removes copies of itself if any additional APKs are downloaded to external storage.
  • Call an attacker-specified number
  • Uninstall apps
  • Check if a device is rooted
  • Hide its icon
  • Retrieve list of files on external storage
  • If running on a Huawei device it will attempt to add itself to the protected list of apps able to run with the screen off
  • Encrypts some exfiltrated data

Desert Scorpion's second stage masquerades as a generic "settings" application. Curiously, several of these have included the world "Fateh" in their package name, which may be referring to the Fatah political party. Such references would be in line with FrozenCell's phishing tactics in which they used file names to lure people associated with the political party to open malicious documents. Desert Scorpion's second stage is capable of installing another non-malicious application (included in the second stage) which is highly specific to the Fatah political party and supports the targeting theory.

Desert Scorpion phishing

Desert Scorpion phishing

The Lookout Threat Intelligence team is increasingly seeing the same tradecraft, tactics, and procedures that APT-C-23 favors being used by other actors. The approach of separating malicious functionality out into separate stages that are later downloaded during execution and not present in the initial app published to the Google Play Store, combined with social engineering delivered via social media platforms like Facebook, requires minimal investment in comparison to premium tooling like Pegasus or FinFisher. As we've seen with actors like Dark Caracal, this low cost, low sophistication approach that relies heavily upon social engineering has still been shown to be highly successful for those operating such campaigns. Given previous operational security errors from this actor in the past which resulted in exfiltrated content being publicly accessible Lookout Threat Intelligence is continuing to map out infrastructure and closely monitor their continued evolution.

IOCs

Desert Scorpion first stages

Title
Package
NameSHA1
Dardesh
com.dardesh.v1
dffec2a8c158c2e615d19ab908f0d40a4a731c3f
Title
Package name
SHA1
Dardesh
com.dardesh.v1
7461a68684f14935d59b62ac5cc6d15e566074da
Title
Package name
SHA1
Dardesh
com.dardesh
6a8b5360a9231461790db01f3b0bb74f9e168956
Title
Package name
SHA1
Google Play Services Instant Apps
com.metrial.setting
38c8aa9e26feb39a30c0f2a3f005d655346656ff


Desert Scorpion second stages

Title
Package name
SHA1

Settings
com.setting.fateh.media
c8464d725d8718643195bd7831e30123036ce80a
Title
Package name
SHA1
Settings
com.metrial.settng
9e394dd43a90a801bcb2dbf652f2cad2b46398d7
Title
Package name
SHA1
Settings
com.metrial.setting.fateh
953079b78bbb28cef69eeb7a713793b3c35c33e7
Title
Package name
SHA1
Settings
com.metrial.setting
45438db970c8e8f2f795eccc04f3b04a7ae4da1b
Title
Package name
SHA1
Settings
com.metrial.setting
550efd7749c22ea4a29ff301e599c004a966052a

Fatah media application lures

Title
Package name
SHA1
إعلام فتح
com.fateh.media
bba04f650024a582df2abb7d2754b1e96173632b
Title
Package name
SHA1
إعلام فتح
com.fateh.media
e631022b3406920a28841df3c4b4fb953732310c
Title
Package name
SHA1
مفوضية إعلام فتح
com.fateh.media
edd4d5ff0631a406901e23fb1918f953e4e3f71b
Title
Package name
SHA1
مفوضية إعلام فتح
com.fateh.media
fb13cf63858dbeab0d790be9f964d4173d62f3c6

Domain names and related URLs

Domain Name

dardash.info
Domain Name dachfunny.club
Domain Name dardash.fun
Google Docs https://doc-04-9g-docs.googleusercontent[.]com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/khq1nnes98sbmo0hnca368hdr5d37lko/1521280800000/14075706053171650887/*/1cHHFMm-NiJejIE4xZxXHKGGYtxti4Gjs?e=download
Google Docs https://drive.google[.]com/uc?authuser=0&id=1cHHFMm-NiJejIE4xZxXHKGGYtxti4Gjs&export=download
Google Drive https://drive.google[.]com/uc?authuser=0&id=1cHHFMm-NiJejIE4xZxXHKGGYtxti4Gjs&export=download

Author

Andrew Blaich,
Manager - Vulnerability Research


Author

Michael Flossman,
Security Research Services Tech Lead