In today’s fast-paced world, cellphones are an integral of our personal and work lives. If you have nothing to hide, how open would you be to the idea of handing your cellphone over to airport security or a repair shop? With the disclosure of nation-states using cell phones to spy on their citizens and any activists that speak out against them, your answer to the question may change in a few minutes.

In 2018, the teams at the EFF (Electronic Frontier Foundation) and Lookout identified mobile malware that was exfiltrating the following information from the affected devices.

Figure 1: Types of data stolen from mobile devices.

This malware was present on devices around the world and has been considered by security researches as cyber-espionage at a global scale. Below are the GPS coordinates of the affected devices.

Figure 2: Mobile devices affected by location

The reason this particular malware is more interesting than any other mobile malware is due to the disclosure of the exfiltrated data. The exfiltrated data was accessible publicly where the research teams were able to pinpoint its origins based on the data that was taken off each device. The origin of the malware was traced back to Lebanon’s General Directorate of General Security (GDGS) which is considered Lebanon’s CIA, FBI, and NSA, all bundled into one.

The malware was installed through two primary channels, one being physical access and the other being through phishing.

Based on some of the Wi-Fi and SMS data obtained, it appears as though some targets had their cellphones confiscated at the airport to have the rogue malware installed. Some targets would send an SMS shortly after the malware was installed indicating that they had just got their phone back while at the airport. By physically having access to a device, the perpetrators behind Dark Caracal would check which application the device already has installed and replaced it with a rogue one. For example, if WhatsApp is installed on the phone, a rogue WhatsApp will be installed on the device.

The phishing channel of the attack would not be anything out of the ordinary. An SMS or chat message through Facebook or WhatsApp would be sent to the target in hopes of persuading the target into installing the rogue application. If the phish against the target was not successful, they would attempt to target family members of the original target.

The project was named Dark Caracal and more detailed information can be found here.

The fallout of Dark Caracal has yet to be seen, but the sophistication, persistence, and success of the attacks indicate that there will be more variations to come. Given the information provided above, it may be a good idea to reset your device whenever a third-party organization or government has access to it because you likely won’t know what they have done to it.