Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF: Thousands of People Have Secure Messaging Clients Infected By Spyware (eff.org)

Posted by EditorDavid on from the defeating-the-purpose dept.

An anonymous reader quotes the EFF: The Electronic Frontier Foundation (EFF) and mobile security company Lookout have uncovered a new malware espionage campaign infecting thousands of people in more than 20 countries. Hundreds of gigabytes of data has been stolen, primarily through mobile devices compromised by fake secure messaging clients. The trojanized apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally. However, the fake apps also allow the attackers to take photos, retrieve location information, capture audio, and more.

The threat, called Dark Caracal by EFF and Lookout researchers, may be a nation-state actor and appears to employ shared infrastructure which has been linked to other nation-state actors. In a new report, EFF and Lookout trace Dark Caracal to a building belonging to the Lebanese General Security Directorate in Beirut. "People in the U.S., Canada, Germany, Lebanon, and France have been hit by Dark Caracal. Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos," said EFF Director of Cybersecurity Eva Galperin. "This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person's day-to-day life."
Dark Caracal apparently gets installed through carefully-targeted spearphishing attacks, accoridng to the EFF. "Several types of phishing emails directed people -- including military personnel, activists, journalists, and lawyers -- to go to a fake app store-like page, where fake Android apps waited. There is even evidence that, in some cases, Dark Caracal used physical access to people's phones to install the fake apps."

35 comments

  1. This! by ma1wrbu5tr · · Score: 4, Insightful

    Though some obfuscation might point elsewhere, this is state sponsored spyware. Despots, tyrants, and oligarchs HATE the idea that we might have conversations without them. It is hard to control a narrative if you're not privy to the conversation.

    --
    Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!
    1. Re:This! by Anonymous Coward · · Score: 0, Insightful

      Unlikely Lebanon would be doing this - considering the targets in the west are generally supportive of Lebanon.

      It's the other ethnic cleansing neighbour (Israel) and their allies that have the most reason to keep tabs on those sorts of people.

    2. Re:This! by rtb61 · · Score: 1

      So wait up, hmm, let me remember something, ohhh yeahh, for years governments all over the world, have contracted out computer stuff to tech companies because of the far greater expertise of tech companies and ohhh yeah, they buy the best staff and the government gets the anal retentive 2nd and 3rd raters. So it can only have been a government, in reality is like saying it can only have been done by anal retentive 2nd and 3rd raters who have to contract out the complex stuff to tech corporations. Something just doesn't seem right in this story.

      Any major tech companies, whose executive team's only goal is to maximise this quarters bonus, whilst avoid jail time and ensuring the penalties for criminal activities are less than the profits generated by those criminal activities, from bribing and corrupting governments, is fully capable and likely inclined to do this stuff, remember the entire globe of countries and tech corporations. Why, hmm, spying on competitors to steal ideas, expose security weaknesses to crash competitors, insider trading information, spying on politicians as you get a bribe discount when extortion accompanies it and just of course just being control freaks (a lot of companies have been caught spying on people and inserting questionable software).

      You know how to tell the difference between a state actor and the major tech corporation, the fucking tech corporations are a whole lot less likely to get fucking caught (they hire the best and hence.......).

      --
      Chaos - everything, everywhere, everywhen
    3. Re:This! by Anonymous Coward · · Score: 0

      And in the other part of the world every corporate CEO hates you having a conversation without them. Android phones listening all the time, amazon echoes listening all the time, apple iphones listening all the time, your "smart" tv listening all the tim, your thermostat listening all the time.... Your car info system running on android listening all the time. 1984 is not a myth, it is reality.

    4. Re: This! by echnaton192 · · Score: 1

      The part about apple is a bold statement. Nobody has reported unwanted communications with apple servers when Siri is not activated (received the activation command and interpreted it *locally*).

      They had and have their hands in the cookie jar, though. They left messages and contacts, calender and call lists unencrypted, as those things were most interesting to the powers that be. If the icloud is activated, they will copy your call lists to their servers for your (the governments) convenience.

      Your general statement is correct, 1984 is upon us. With less violence against dissidents than predicted, but still switching them off through propaganda, alternative facts and bogus criminal charges.

      This is why we need to tell people how they can protect themselves for now and where the threads are.

      When secure messengers are illegal - not if - the lacking sideloading possibility of iPhones will leave people unprotected. But at the moment people wealthy enough to buy iPhones have it easier to protect their privacy than android users - unless they install a hardened android without google apps, risking their warranty.

      The iPhone makes it easier to use secure cloud providers for notes (IMAP), calendar (caldav), contacts (carddav), documents (webdav). On android it is harder.

      The US government complains about iPhones they can not access. Analysts criticize apple for not extracting enough data or even for making data collection optional.

      Apple is evil for a lot of reasons not mentioned here - it just so happens that Google has become worse.

      At the moment wealthy people have it easier to protect their privacy than poor people on mobile devices. Cheap Android devices like those from One plus have backdoors and spyware preinstalled. We should inform poor people how to install a better android flavor.

      I know that we are losing this war against total surveillance. But while we still fight, we should be precise in our criticism and help lesser informed people to make a decision:

      This is why privacy is so important, because...

      Privacy costs comfort. How much privacy are you willing to sacrifice for convenience?

      Installing a more privacy friendly Android, activating tracking blockers, using more privacy oriented cloud providers and using signal from their website is costing the least comfort.

      Using boot time encryption implies typing in a long passphrase after each reboot. If it is random and long enough there is no need to change it often. After a while the long passphrase types itself semi-automatical.

      Encrypting emails from end to end costs usabilty, especially under iOS. Removing google apps makes it way harder to install or use certain programs like turn by turn navigation.

      Turning off the icloud completely costs some usability. Not turning it off makes it easier for private or official attackers to get the valued informations about contacts, communication data and the actual communications. Apple has the data from most iOS users, so there is no need to attack individual devices.

      How to make Windows 10 a little bit less snoopy? Use this tool to change the settings easier, if you must run Windows in the first place: (explain). Use a legal copy of Windows 10 enterprise with disabled telemetry if possible. Use Linux if possible, use these settings: ...

      I am as pessimistic as you are. But even though it is likely that we lose the war we should not spread FUD. We should be as specific about privacy as possible. Your post misses that mark.

    5. Re: This! by echnaton192 · · Score: 1

      Addition: I know, Contacts, Calendar and messages are encrypted after a reboot since the Snowden files. But they were not before. I am convinced that this was done to help the US surveillance scheme, but who could prove that?

    6. Re:This! by Anonymous Coward · · Score: 0

      You have left out the most dangerous group of people capitalizing on capturing and exploiting data for profit. Dedicated and tech savy criminals are the real threat. These guys are way more dangerous than a government that doesn't exactly have a very good track record when it comes to cyber related activities both foreign and domestic. A government may have access to tanks, bombs, ships, and soldiers but they are just as vulnerable as a regular citizen is when it comes to fighting on the cyber battlefield. Corporations are also more vulnerable than your average citizen. Grabbing corporate data is way more profitable than exploiting data on single individuals. The vast majority of people never do or say anything in their lives worth tracking down and exploiting on a mass scale.

      The development of mobile application platforms have followed the same path as MS and Apple did back in the 80's and 90's. Getting new hardware and software technology to the market first has always been more important than any security concerns. All the major OS's today did not start life with an infrastructure that took security into consideration from day one. Instead we are left with bolting on "patches" which basically just wallpapers over the underlying security flaws. Adding real and enforceable security model to any platform from the ground up would drastically reduce any backwards compatibility trying to be preserved.

    7. Re:This! by ckatko · · Score: 1

      But if we let people have private conversations without spying, NEO-NAZIS might communicate with each other! /actual_progressives_stance

      #discord_did_nothing_wrong

    8. Re:This! by Anonymous Coward · · Score: 0

      It's a good argument for the exploits not being US Government-based (NSA, etc.) since they do subcontract. PLA, FSB don't seem to do so. Fascist and all that.

      Regarding Lebanon/Israel, just a couple of issues. First, just because you're friendly today doesn't have any implication for tomorrow. See, e.g. U.S. and Israel, roughly 1980-1992, 1992-2000, 2000-2008, 2008-2016, 2016-pres. Second, suggesting Israel is involved with ethnic cleansing does require at least a minimal cite, ideally from someplace without an interest in the outcome (I know, good luck.)

      I will grant you the major tech corporations have, at least, motive to participate. Apple, Google, Facebook, at least (and only in my poor opinion) do seem to have an interest in concealing their internal activities and pushing forward with their visions of their futures. Or not, YMMV

    9. Re:This! by Anonymous Coward · · Score: 0

      This is the main reason startssl lost their CA, but it has gone much farther. Fly into China and roam on China Telecom for a few days and see how many updates your apps will get from the play store. Google, etc. know about this, can't say shit about it, and honestly they are doing something well beyond just faking certs at this point.

  2. Are people still this stupid? by known_coward_69 · · Score: 1

    downloading apps from non-official sources to be cool or whatever?

    1. Re:Are people still this stupid? by Anonymous Coward · · Score: 0

      Probably safer than getting them from "official sources".

    2. Re:Are people still this stupid? by Anonymous Coward · · Score: 0

      Man in the middle attacks can of course inject whatever bullshit..

    3. Re:Are people still this stupid? by Anonymous Coward · · Score: 0

      Actually, this is more about flying into China and over the course of a week or two all of your android apps seem to get 'new' updates from the play store.

    4. Re:Are people still this stupid? by Anonymous Coward · · Score: 0

      downloading apps from non-official sources to be cool or whatever?

      I don't care if a source is official or popular or legal. I'm much more interested in whether or not a source is reputable.

  3. Three letter agencies by fph+il+quozientatore · · Score: 1

    Thousands only? That's if you assume that the true, official apps are secure, I suppose?

    --
    My first program:

    Hell Segmentation fault

    1. Re: Three letter agencies by echnaton192 · · Score: 1

      Are you accusing Moxi Marlinspike of being a collaborator? Or are you simply spreading FUD so that nobody even *tries* to protect the little rest of their privacy?

    2. Re: Three letter agencies by fph+il+quozientatore · · Score: 1

      After that interview, the old straw man trick is becoming popular again these days. (1) The 300lb pound gorilla is Whatsapp being compromised, not Signal (2) if a malicious party has root or controls the OS, they can spy on your signal conversations even if you use the official signed Moxie-approved binary.

      --
      My first program:

      Hell Segmentation fault

  4. Name of the beast by Anonymous Coward · · Score: 0

    A caracul is a sheep. A caracol is a snail. What is a caracal?

    1. Re:Name of the beast by sheramil · · Score: 1

      What is a caracal?

      It's a small Caldari missile boat with a bonus to lasers. Also a variety of wild cat.

      I followed the links and it seems the solution to a compromised messaging app is to download their protection app. I didn't read their report on the malware because they didn't present it as a webpage - it was a link that said "download report", and I'm wary of downloading crap from sites like this. If you've ever gone looking for solutions to malware, it seems every variant has a website that offers a specific tool to fix it, even things like SecurityHealthService.exe .

    2. Re:Name of the beast by Anonymous Coward · · Score: 0

      > What is a caracal?

      It's a city in Romania:

      https://en.wikipedia.org/wiki/...

  5. It's worse than you think. by Narcocide · · Score: 2

    The ones who can get as far as installing it are the smart ones.

  6. Aaaand it's Android again! by Anonymous Coward · · Score: 0

    Surprise!

  7. sometimes you wonder when to give up on some peopl by Anonymous Coward · · Score: 1

    it's astonishing that in 2018 basic computer security isn't demanded of people in high ranking positions. Really? Spearphishing? Click fake links in e-mails? I maybe did this when I was 12, clicking flash ads for free online games.

  8. What's App? Really? by SeaFox · · Score: 4, Insightful

    The trojanized apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally.

    Why would anyone expect a messaging app associated with Facebook to be a secure communication method? Especially if you're trying to avoid government snooping. Using the most popular, closed-source, corporate-owned social network platform is like painting a big bulls-eye on your back.

    1. Re:What's App? Really? by gtall · · Score: 2

      Ever listen to CSPAN's call in show in the mornings? Admittedly we're only listening to Americans. However, from the callers we can learn that Jews control everything, particular Senators should be taken out and shot in the head, DACA people deserve the love of Jesus Christ just as soon as they depart for their parent's homeland, Trump is a genius, Trump is a dunderhead, there's nothing wrong with Putin or Russia, etc.

      This lot will not only fall for the latest scam, they'll complain bitterly they weren't let into it sooner and would have been were it not for the government "deep state" and its conspiracy of promulgating global warming and fluoride in the water and vaccines

    2. Re:What's App? Really? by johannesg · · Score: 2

      Those people are self-selected loud-mouths who have a cause to push. Normal people, and that's still the vast majority of them, aren't nearly as nutty.

  9. Default setting? by ffox80 · · Score: 1

    You can't install a third party app without changing a default setting. Has this malware found a way around this?

    1. Re:Default setting? by AHuxley · · Score: 1

      If the gov/mil is paying then yes the can ask for that from their contractors to be part of any malware.
      Recall DROPOUTJEEP https://en.wikipedia.org/wiki/...
      Some malware still needs a human to allow it in, others just get pushed down the network.
      i.e. "spearphishing" ... "to go to a fake app store-like page, where fake Android apps waited."

      Some contractors like their gov/mil malware too just look like normal, existing malware if found. To suggest the code had another nation origin, another gov was doing the funding if found. Code litter to cover the actual origin. e.g. the anti-forensic Marble framework https://www.theregister.co.uk/...
      Other nations mil/gov expect to push the bespoke code down only a user and not need any user intersection. Depends on the price, mission, risk, skill of the user, optics of been detected, what researchers will find when they take part what they find in the wild.

      So spearphishing can be an easy way in, make the user grant permissions and if discovered it looks like most other spearphishing except for who/how it reports back.
      ' Get too smart with the number of people been wanted with push down bespoke code and a lot of researchers take note.
      Gov and mil save that bespoke push down code for interesting people, not mass collect it all efforts over a few nations and a list of professions.
      The easy way in for a gov/mil is just to go full Operation Socialist https://en.wikipedia.org/wiki/... into the telco.
      "The Inside Story of How British Spies Hacked Belgium’s Largest Telco" (December 13 2014)
      https://theintercept.com/2014/...

      --
      Domestic spying is now "Benign Information Gathering"
  10. Lebanon? Sure. by Anonymous Coward · · Score: 0

    This is clearly NSA and CIA again. Treat them as what they are - terrorist organisations. When Apple and Google are ultimately in control of what actually comes off their servers and onto your phone, and they in turn have to do what the three-letter terrorist organisations tell them, why the F would you actually believe LEBANON OF ALL COUNTRIES is responsible?

  11. Sole purpose of mobile? by Anonymous Coward · · Score: 0

    But I thought spyware is the sole purpose of mobile computing. Isn't that why you have to install leaky, crappy apps that barely work at all instead of going to websites with a reasonably secure browser?