Kaspersky Lab has discovered a new cyber espionage campaign named ZooPark targeting Android devices in the Middle East since June 2015.
Attackers were observed using waterhole attacks as the preferred attacking vector, and several news websites were hacked by the attackers to redirect visitors to a malicious website which installs the malicious APKs.
According to researchers, attackers used four different version of malware labeled v1-v4 and each new version were advanced and contained new features from the previous ones. The latest version v4 was released in 2017.
“ZooPark is a cyber espionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017” said in the report published by Kaspersky Lab.
The first version (v 1.0) was released in 2015 which disguised as the official Telegram application and was capable of stealing contact from the address book and accounts registered on the victim’s device.
Read more on : Cyber Espionage and Network Infrastructure Security
The second version (v 2.0) was similar to the previous and was released in 2016. The second version contains some addition spying features such as exfiltrate GPS location, SMS messages, call logs and some extra general information from the victim’s device.
The third version (v 3.0) released in 2016 has some similarities to the commercial spyware product Spymaster Pro and had its own command and control server.
The latest version (v 4.0) was an improvised variant of version 2.0 and comes with some additional features such as keylogger, capture photos, video, audio and take screenshots
Researchers said that the attackers are using Telegram channels to spread the malware and most of the infected victims were located in Egypt, Jordan, Morocco, Lebanon, and Iran.
“From the technical point of view, the evolution of ZooPark has shown notable progress: from the very basic first and second versions, the commercial spyware fork in its third version and then to the complex spyware that is version 4. This last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware”.
You may be interested in reading: GDPR and What it means to Middle East