| Executives January 10, 2018

January 10, 2018

The mAPT has arrived

By Mike Murray

man holding phone

Mobile has emerged as a key component of the Advanced Persistent Threat arsenal. These "mAPTs" take advantage of the smartphone's features and capabilities and turn it into the ideal weapon for cyber espionage.

The history of the APT

"Advanced Persistent Threat" or APT has been in the cybersecurity lexicon for over a decade. According to the Wikipedia definition, it is the common way to describe a group, usually a nation-state, that has the capability and intent to persistently and effectively target other nation-states, businesses, or individuals in order to extract information that is typically for the purpose of political gain. APTs are often patient and always well resourced. It is not uncommon to see them infect a machine and stay hidden for years while obtaining the information they are after. 

The APT designation was initially associated with China (thanks to Mandiant's APT1 report), but we have now seen APTs originate from all over the world. Most newsworthy of late are APT28, aka Fancy Bear, a cyber espionage group likely associated with the Russian military intelligence agency GRU, and APT29, aka Cozy Bear, who are likely associated with the Russian Federal Security Services (FSB). These two actors gained particular notoriety when they were implicated in hacking the Democratic National Committee during the 2016 US election. 

While the typical discussion of APTs has focused on PC/Mac/Linux exploitation, Lookout has observed the evolution of a new trend. The vast majority of APTs have expanded their toolkits such that there is a clear emphasis on gathering intelligence from mobile devices -- they have evolved into mobile-focused APTs (mAPTs).

mAPTs today

Lookout discovered a number of mAPTs in 2017 who are rapidly evolving their capabilities. This suggests to us that the number of APT actors adding mobile capabilities is growing quickly, and we expect to see a wide proliferation of mAPTs in 2018.

For example, xRAT targets Hong Kong protesters with extensive data collection functionality and the ability to remotely run a suicide function to avoid detection. Despite being associated to some Windows malware in the past, the actors behind it have primarily used iOS and Android tools to gather intelligence from high value assets. Another recent high profile family that was seen to utilize a desktop capability but has since shifted to having a strong mobile presence is FrozenCell. Targeting employees of various Palestinian government agencies, security services, Palestinian students, and those affiliated with the Fatah political party, FrozenCell masquerades as fake updates to chat applications like Facebook, WhatsApp, Messenger, LINE, and LoveChat. Any mobile APT discussion also wouldn't be complete without mentioning our discovery of the mother of all mAPT tools -- the Pegasus spyware for iOS and Android developed by NSO Group and peddled to nation-state APT actors around the world. Finally, today we announced the discovery of the continued evolution of SpyWaller, an mAPT originating from China that may now be expanding its surveillance campaigns to Western targets.

Why we're seeing mAPTs now

The rise of the mAPT is happening because the mobile device is the perfect espionage tool. Imagine if you could go back in time and tell KGB agents from the 1960s that in 2017, every person would voluntarily carry around with them a small box with a high-fidelity microphone, a high-definition camera, and a highly accurate Global Positioning System (GPS) that can be remotely accessed and turned on at any moment. They would have salivated at the potential. Yet this is the world that we live in today. During the Cold War, security services would spend hundreds of millions of dollars to bug and track members of foreign security services, protesters, opposition political parties and enemies of the state. These days (as in the examples given above), all it takes is a piece of commercial mobile malware or a few texts or Facebook messages, and these threat actors have fully realized the potential mobile devices present.

What emerged in 2016 and 2017 as a trend will become standard operating procedure in 2018 and beyond. Governments, enterprises, and high value individuals should all assume that APT actors will be adding and expanding their mobile capabilities. The era of the mAPT has arrived.

Interested in learning more about how mAPTs could impact mobile devices in your corporate today? Contact us today.


Mike Murray,
Vice President, Security Intelligence

Leave a comment