Kapersky Labs has found a drive-by Android malware, dubbed ZooPark, that seems to be nation-state backed and has been spying on devices in certain regions of the Middle East since at least June of 2015. The malware has four identifiable generations, each adding new features. The current generation is capable of a number of high-level functions, including executing remote commands on a device and even pulling saved logins from browsers. The main distribution channel for the malware seems to be compromised APK files served in drive-by downloads on trusted news and political websites that are popular in the Middle East. The apps come bearing names that piggyback off of official apps and news services, such as TelegramGroups and Alnaharegypt news.
According to Kapersky’s findings, the first generation of the malware was only able to get contacts and account information from target devices. The second generation added in call logs, GPS location, SMS messages, and device-specific information. The third generation added in the critical abilities to pull call audio and browser information, and the fourth generation finally allowed attackers to execute shell commands on the target device, as well as sending SMS messages and making calls remotely. This essentially constitutes full compromise of the device, and allows attackers to know exactly what a targeted device is being used for and even what its owner is doing. Kapersky said that the malware appears to be targeted primarily toward political organizations and activists.
The implications of a state-sponsored mobile malware are, to say the least, unsettling. The exact origin of ZooPark is still unknown at this time, but it has been observed targeting devices in Egypt, Jordan, Morocco, Lebanon and Iran, though it’s possible that it has spread further than that at this point. Kapersky Labs’ product line has had its database updated to detect and block all versions of ZooPark, which means that they can also block malware that works similarly or is based on ZooPark. So far, no government officials from any of the affected countries have come forward to talk about the cyber espionage campaign, so its origin point and exact aim remain a mystery.