EFF: Thousands of People Have Secure Messaging Clients Infected By Spyware (eff.org)

← Back to Stories (view on slashdot.org)

EFF: Thousands of People Have Secure Messaging Clients Infected By Spyware (eff.org)

Posted by EditorDavid on Saturday January 20, 2018 @08:59AM from the defeating-the-purpose dept.

An anonymous reader quotes the EFF: The Electronic Frontier Foundation (EFF) and mobile security company Lookout have uncovered a new malware espionage campaign infecting thousands of people in more than 20 countries. Hundreds of gigabytes of data has been stolen, primarily through mobile devices compromised by fake secure messaging clients. The trojanized apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally. However, the fake apps also allow the attackers to take photos, retrieve location information, capture audio, and more.

The threat, called Dark Caracal by EFF and Lookout researchers, may be a nation-state actor and appears to employ shared infrastructure which has been linked to other nation-state actors. In a new report, EFF and Lookout trace Dark Caracal to a building belonging to the Lebanese General Security Directorate in Beirut. "People in the U.S., Canada, Germany, Lebanon, and France have been hit by Dark Caracal. Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos," said EFF Director of Cybersecurity Eva Galperin. "This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person's day-to-day life."
Dark Caracal apparently gets installed through carefully-targeted spearphishing attacks, accoridng to the EFF. "Several types of phishing emails directed people -- including military personnel, activists, journalists, and lawyers -- to go to a fake app store-like page, where fake Android apps waited. There is even evidence that, in some cases, Dark Caracal used physical access to people's phones to install the fake apps."

17 of 35 comments (clear)

Min score:

Reason:

Sort:

This! by ma1wrbu5tr · 2018-01-20 09:23 · Score: 4, Insightful

Though some obfuscation might point elsewhere, this is state sponsored spyware. Despots, tyrants, and oligarchs HATE the idea that we might have conversations without them. It is hard to control a narrative if you're not privy to the conversation.

--
Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!
1. Re:This! by rtb61 · 2018-01-20 10:39 · Score: 1
  
  So wait up, hmm, let me remember something, ohhh yeahh, for years governments all over the world, have contracted out computer stuff to tech companies because of the far greater expertise of tech companies and ohhh yeah, they buy the best staff and the government gets the anal retentive 2nd and 3rd raters. So it can only have been a government, in reality is like saying it can only have been done by anal retentive 2nd and 3rd raters who have to contract out the complex stuff to tech corporations. Something just doesn't seem right in this story.
  Any major tech companies, whose executive team's only goal is to maximise this quarters bonus, whilst avoid jail time and ensuring the penalties for criminal activities are less than the profits generated by those criminal activities, from bribing and corrupting governments, is fully capable and likely inclined to do this stuff, remember the entire globe of countries and tech corporations. Why, hmm, spying on competitors to steal ideas, expose security weaknesses to crash competitors, insider trading information, spying on politicians as you get a bribe discount when extortion accompanies it and just of course just being control freaks (a lot of companies have been caught spying on people and inserting questionable software).
  You know how to tell the difference between a state actor and the major tech corporation, the fucking tech corporations are a whole lot less likely to get fucking caught (they hire the best and hence.......).
  
  --
  Chaos - everything, everywhere, everywhen
2. Re: This! by echnaton192 · 2018-01-20 14:11 · Score: 1
  
  The part about apple is a bold statement. Nobody has reported unwanted communications with apple servers when Siri is not activated (received the activation command and interpreted it *locally*).
  They had and have their hands in the cookie jar, though. They left messages and contacts, calender and call lists unencrypted, as those things were most interesting to the powers that be. If the icloud is activated, they will copy your call lists to their servers for your (the governments) convenience.
  Your general statement is correct, 1984 is upon us. With less violence against dissidents than predicted, but still switching them off through propaganda, alternative facts and bogus criminal charges.
  This is why we need to tell people how they can protect themselves for now and where the threads are.
  When secure messengers are illegal - not if - the lacking sideloading possibility of iPhones will leave people unprotected. But at the moment people wealthy enough to buy iPhones have it easier to protect their privacy than android users - unless they install a hardened android without google apps, risking their warranty.
  The iPhone makes it easier to use secure cloud providers for notes (IMAP), calendar (caldav), contacts (carddav), documents (webdav). On android it is harder.
  The US government complains about iPhones they can not access. Analysts criticize apple for not extracting enough data or even for making data collection optional.
  Apple is evil for a lot of reasons not mentioned here - it just so happens that Google has become worse.
  At the moment wealthy people have it easier to protect their privacy than poor people on mobile devices. Cheap Android devices like those from One plus have backdoors and spyware preinstalled. We should inform poor people how to install a better android flavor.
  I know that we are losing this war against total surveillance. But while we still fight, we should be precise in our criticism and help lesser informed people to make a decision:
  This is why privacy is so important, because...
  Privacy costs comfort. How much privacy are you willing to sacrifice for convenience?
  Installing a more privacy friendly Android, activating tracking blockers, using more privacy oriented cloud providers and using signal from their website is costing the least comfort.
  Using boot time encryption implies typing in a long passphrase after each reboot. If it is random and long enough there is no need to change it often. After a while the long passphrase types itself semi-automatical.
  Encrypting emails from end to end costs usabilty, especially under iOS. Removing google apps makes it way harder to install or use certain programs like turn by turn navigation.
  Turning off the icloud completely costs some usability. Not turning it off makes it easier for private or official attackers to get the valued informations about contacts, communication data and the actual communications. Apple has the data from most iOS users, so there is no need to attack individual devices.
  How to make Windows 10 a little bit less snoopy? Use this tool to change the settings easier, if you must run Windows in the first place: (explain). Use a legal copy of Windows 10 enterprise with disabled telemetry if possible. Use Linux if possible, use these settings: ...
  I am as pessimistic as you are. But even though it is likely that we lose the war we should not spread FUD. We should be as specific about privacy as possible. Your post misses that mark.
3. Re: This! by echnaton192 · 2018-01-20 14:16 · Score: 1
  
  Addition: I know, Contacts, Calendar and messages are encrypted after a reboot since the Snowden files. But they were not before. I am convinced that this was done to help the US surveillance scheme, but who could prove that?
4. Re:This! by ckatko · 2018-01-20 17:53 · Score: 1
  
  But if we let people have private conversations without spying, NEO-NAZIS might communicate with each other! /actual_progressives_stance
  #discord_did_nothing_wrong
Are people still this stupid? by known_coward_69 · 2018-01-20 09:30 · Score: 1

downloading apps from non-official sources to be cool or whatever?
Three letter agencies by fph+il+quozientatore · 2018-01-20 09:37 · Score: 1

Thousands only? That's if you assume that the true, official apps are secure, I suppose?

--
My first program:
Hell Segmentation fault
1. Re: Three letter agencies by echnaton192 · 2018-01-20 14:21 · Score: 1
  
  Are you accusing Moxi Marlinspike of being a collaborator? Or are you simply spreading FUD so that nobody even *tries* to protect the little rest of their privacy?
2. Re: Three letter agencies by fph+il+quozientatore · 2018-01-20 20:42 · Score: 1
  
  After that interview, the old straw man trick is becoming popular again these days. (1) The 300lb pound gorilla is Whatsapp being compromised, not Signal (2) if a malicious party has root or controls the OS, they can spy on your signal conversations even if you use the official signed Moxie-approved binary.
  
  --
  My first program:
  Hell Segmentation fault
It's worse than you think. by Narcocide · 2018-01-20 09:50 · Score: 2

The ones who can get as far as installing it are the smart ones.
sometimes you wonder when to give up on some peopl by Anonymous Coward · 2018-01-20 10:20 · Score: 1

it's astonishing that in 2018 basic computer security isn't demanded of people in high ranking positions. Really? Spearphishing? Click fake links in e-mails? I maybe did this when I was 12, clicking flash ads for free online games.
What's App? Really? by SeaFox · 2018-01-20 10:21 · Score: 4, Insightful

The trojanized apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally.
Why would anyone expect a messaging app associated with Facebook to be a secure communication method? Especially if you're trying to avoid government snooping. Using the most popular, closed-source, corporate-owned social network platform is like painting a big bulls-eye on your back.
1. Re:What's App? Really? by gtall · 2018-01-20 12:01 · Score: 2
  
  Ever listen to CSPAN's call in show in the mornings? Admittedly we're only listening to Americans. However, from the callers we can learn that Jews control everything, particular Senators should be taken out and shot in the head, DACA people deserve the love of Jesus Christ just as soon as they depart for their parent's homeland, Trump is a genius, Trump is a dunderhead, there's nothing wrong with Putin or Russia, etc.
  This lot will not only fall for the latest scam, they'll complain bitterly they weren't let into it sooner and would have been were it not for the government "deep state" and its conspiracy of promulgating global warming and fluoride in the water and vaccines
2. Re:What's App? Really? by johannesg · 2018-01-20 21:27 · Score: 2
  
  Those people are self-selected loud-mouths who have a cause to push. Normal people, and that's still the vast majority of them, aren't nearly as nutty.
Re:Name of the beast by sheramil · 2018-01-20 11:14 · Score: 1

What is a caracal?
It's a small Caldari missile boat with a bonus to lasers. Also a variety of wild cat.
I followed the links and it seems the solution to a compromised messaging app is to download their protection app. I didn't read their report on the malware because they didn't present it as a webpage - it was a link that said "download report", and I'm wary of downloading crap from sites like this. If you've ever gone looking for solutions to malware, it seems every variant has a website that offers a specific tool to fix it, even things like SecurityHealthService.exe .
Default setting? by ffox80 · 2018-01-20 12:06 · Score: 1

You can't install a third party app without changing a default setting. Has this malware found a way around this?
1. Re:Default setting? by AHuxley · 2018-01-20 14:58 · Score: 1
  
  If the gov/mil is paying then yes the can ask for that from their contractors to be part of any malware.
  Recall DROPOUTJEEP https://en.wikipedia.org/wiki/...
  Some malware still needs a human to allow it in, others just get pushed down the network.
  i.e. "spearphishing" ... "to go to a fake app store-like page, where fake Android apps waited."
  
  Some contractors like their gov/mil malware too just look like normal, existing malware if found. To suggest the code had another nation origin, another gov was doing the funding if found. Code litter to cover the actual origin. e.g. the anti-forensic Marble framework https://www.theregister.co.uk/...
  Other nations mil/gov expect to push the bespoke code down only a user and not need any user intersection. Depends on the price, mission, risk, skill of the user, optics of been detected, what researchers will find when they take part what they find in the wild.
  
  So spearphishing can be an easy way in, make the user grant permissions and if discovered it looks like most other spearphishing except for who/how it reports back.
  ' Get too smart with the number of people been wanted with push down bespoke code and a lot of researchers take note.
  Gov and mil save that bespoke push down code for interesting people, not mass collect it all efforts over a few nations and a list of professions.
  The easy way in for a gov/mil is just to go full Operation Socialist https://en.wikipedia.org/wiki/... into the telco.
  "The Inside Story of How British Spies Hacked Belgium’s Largest Telco" (December 13 2014)
  https://theintercept.com/2014/...
  
  --
  Domestic spying is now "Benign Information Gathering"