The Electronic Frontier Foundation and Lookout, a mobile security company, has uncovered a global spying operation that has compromised thousands of Android smartphones and Windows computers across the world.
The hacking group, named by EFF and Lookout researchers as Dark Caracal, is also possibly a nation-state actor.
How Do Dark Caracal Hackers Operate?
The Dark Caracal hackers, according to the joint report by the EFF and Lookout, primarily operate by propagating fake versions of secure messaging apps such as WhatsApp and Signal. These compromised apps function just like their legitimate counterparts, however, they also allow the hacking group to steal messages, take pictures, record audio, acquire location information, and more.
On Windows computers, the malware is also capable of taking screenshots, extracting Skype log files, and stealing confidential documents. The spying operation is prolific, with victims such as lawyers, journalists, activists, and military personnel across 21 countries.
However, the attack itself is not a sophisticated one, as it relied on the hackers sending phishing messages with links to download the fake, malware-laced apps, or to access fake websites that extract the log-in information of their victims.
Dark Caracal was uncovered by the security researchers of the EFF and Lookout when the hackers accidentally revealed themselves through an exposed server found on the open internet. The server has since been moved to a new host, and can no longer be accessed by the researchers.
Meanwhile, as with most other malware cases, the best way to protect one from Dark Caracal's attacks is to only click on links sent by trusted accounts and to only downloads apps from the official app stores.
Who Is Behind Dark Caracal?
Dark Caracal was found to be using infrastructure that has been linked to nation-state actors, which suggests that the hacking group is also founded by a national government.
Further investigations by the EFF and Lookout traced Dark Caracal to Beirut, Lebanon, specifically to a building that belongs to the Lebanese General Security Directorate. The researchers tracked down the devices that Dark Caracal was using for malware testing, and found them clustered in the building in Beirut.
"Based on the available evidence, it is likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal," said the researchers.
The report claims that Dark Caracal has been in operation since at least 2012. However, the hacking group has been difficult to track due to the seemingly unrelated attacks launched from the same domains.
The researchers now believe that Dark Caracal is not the only attacker using the infrastructure and that some of Dark Caracal's operations have been wrongly attributed to other groups.