New Android-based malware ZooPark target users in Middle East
iSpeech
The security researcher from Kaspersky Lab published ” ZooPark: new Android-based malware campaign spreading through compromised legitimate websites” analysis report and described it as An Advanced Persistent Threat (APT).
APT refers to cyber attacks and intrusions conducted by cybercriminals for the purpose of stealing core data. It is a malicious commercial spy threat that has long been planned. The researchers stated that the start date of ZooPark APT can be traced back to 2015 and continues to this day.
The operating team behind ZooPark APT is considered a new network espionage organization. In the past three years, it has been focusing on targeting Android device users in countries in the Middle East. The victims are mainly distributed in Egypt, Jordan, Morocco, and Lebanon. And Iran and other countries.
In this espionage network that has lasted for three years, the organization also made several updates to the malware it used, and each update introduced new features. Kaspersky Lab identifies the malware as the four major versions (V1 to V4), of which V4 is the latest version deployed in 2017.
From a technical point of view, the development of ZooPark APT has shown significant progress with the update of malware: both V1 and V2 have only simple spyware functions; V3 is almost different from the first two versions, and its source code seems to draw on Another commercial spyware, Spymaster Pro; V4 has undergone a major revision, built on top of V2, and has evolved into a highly sophisticated spyware.
Researchers at Kaspersky Lab discovered multiple invading news sites during the ZooPark event. When targeted victims visit these sites, they are redirected to a website that downloads malicious applications and eventually spreads malicious software. purpose. The researchers observed a number of topics during the event, including “Kurdistan referendum”, “TelegramGroups” and “Alnaharegypt news”.
Version 1.0 (2015) – pretty simple malware
“The first version of the malware that we found (EC5A6F0E743F4B858ABA9DE96A33FB0C) is pretty simple. It has only two functions – stealing contacts from the address book and accounts registered
on the victim device. The malware mimics a Telegram application.”
Version 2.0 (2016) – lightweight spyware
“For this version, every sample contains a hardcoded configuration that contains its C2
address and variables for use in the request. This new version is similar to the previous. The main difference is the inclusion of new spying features such as exfiltrate GPS location, SMS messages, call logs and some extra general information.”
Version 3.0 (2016) – commercial fork
“This version of the malware is especially interesting due to the notable similarities to the commercial spyware product Spymaster Pro. There are several code similarities, with the main difference being that ZooPark uses its own command and control server.”
Version 4.0 (2017) – modern spyware
“This malware variant represents a significant improvement on version 2.0, which seems to indicate that version 3.0 was some kind of fork. This last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware. This suggests the latest version may have been bought from vendors of specialist surveillance tools. That wouldn’t be surprising, as the market for these espionage tools is growing, becoming popular among governments, with several known cases in the Middle East.”
Suggest Reading
WHO’S WHO IN THE ZOO. CYBERESPIONAGE OPERATION TARGETS ANDROID USERS IN THE MIDDLE EAST.
Gloss