Last week Kaspersky Lab specialists told about the intricate cyber-spy campaign ZooPark , the victims of which are users of Android from the Middle East.
Researchers have been monitoring the development of this malicious program since 2015. Its current version is already the fourth and can steal from the infected smartphone almost any information, from contact data to logs of calls and records from the keyboard. ZooPark is able to collect and transfer to its owners the following information:
- information about user accounts;
- call history;
- audio recordings;
- SMS content;
- bookmarks and browser history
- search history in the browser;
- device location;
- device information;
- information about installed applications;
- any files from the memory card;
- documents from the device;
- data , entered from the on-screen keyboard;
- data from the clipboard;
- application data (for example, Telegram messengers, WhatsApp and IMO, and Chrome browser).
In addition, ZooPark on the team can take screenshots and photos, and record video. For example, he can take a photo of the owner of the smartphone from the front camera and send it to his operators.
In this case, ZooPark is used for targeted attacks, that is, it is calculated not for all in a row, but for a specific audience. Thus, the victims of intruders are those who are interested in certain topics, and more specifically – the policies of some Middle Eastern countries.
There are two ways of propagation in ZooPark: via Telegram channels and using drive-by hidden-download attacks . For example, criminals offered an application for a remote referendum vote on the independence of Iraqi Kurdistan in the Telegram channel.
Also, cybercriminals crack popular in certain countries or circles resources, after which the site automatically starts to download the infected application, pretending to be useful, to example, the official application of this news resource. Finally, in some cases, the Trojan pretended to be an all-in-one messenger.
A week after the publication of this report, Vice Motherboard was approached by an unknown hacker who claims to have been hacked into one of the servers of ZooPark operators in Tehran. “10 minutes of effort; information about the Iranian APT, “the anonymous author writes. It should be noted that in their report Kaspersky Lab experts assumed that the so-called “government hackers” are most likely to be behind ZooPark, but they did not make any specific conclusions about their country.
Journalists acknowledge that the hacker the information was not without interest. The unknown man was able to retrieve text messages, emails and GPS coordinates extracted from devices infected by ZooPark, and even recording audio calls of affected users.
Photo: Kaspersky Lab