The December 2022 issue of IEEE Spectrum is here!

Close bar

Cyber Espionage Malware Taps Smartphones, Sends Chills

Sophisticated malicious code hasn't gotten the notice that the Sony hack has, but that's the point

4 min read
Cyber Espionage Malware Taps Smartphones, Sends Chills
Photo-illustration: John Lund/Getty Images

A mysterious malware campaign resembling an attack on Russian officials from earlier this year could be the most sophisticated cyberattack yet discovered.

This fall, around the time hackers were draining crucial digital lifeblood from Sony Pictures, one of the most sophisticated malware attacks in history (completely separate from the Sony hack) was coming to a close. Presumably retreating after being exposed by security researchers, the cyber espionage campaign targeted smartphones of business, government, and embassy officials around the world. Its structure parallels an earlier attack aimed primarily on Russian executives, diplomats, and government officials, but  the extent of the damage inflicted by the recent campaign—as well as its prospects of returning under a new guise—is still unknown.

Waylon Grange, senior malware researcher at Blue Coat Labs in Sunnyvale, Calif., says he’s taken apart both the malware that infected Sony Pictures’ internal networks and the malicious code behind the Russian hack. And in terms of the relative complexity and sophistication of the designs—though of course not by the level of damage—there’s no contest.

“In terms of sophistication, the Sony malware is really low on the pecking order,” he says. “The Sony malware was more destructive. This one is very selective. When it runs, this one does very well tracking its steps. If anything is wrong or the system is not configured just right, this malware detects it, quietly backs off, doesn’t make any errors, cleans itself up and is gone.”

As a result, Grange says, it's been a difficult cyber infection to study and trace. And its code base and Internet routing are so full of false leads and red herrings that it has, to date, proved impossible to source back to any group, nation, or band of hackers. Whoever it is, Grange says, has assembled a next-generation attack that should make security researchers sit up and pay attention.

And, especially in light of how much horrible mischief the far simpler Sony attack has wrought, businesses and governments should also be educating their workforces on cybersecurity and installing more and better locks on their cyber doors and windows.

In a blog post earlier this month, Grange’s colleagues at Blue Coat unveiled the details of the attack, whose infection route begins with a spearphising e-mail to targeted business, government, and diplomatic users in at least 37 countries. The e-mail poses as an update or special offer for users to download the latest version of What’s App. Unfortunate users who click this link download infected Android, Blackberry and iOS versions of the popular messaging app.

An infected smartphone then records calls made by the user and awaits instructions telling it the Internet address to which it should upload the surreptitiously recorded phone calls.

Such an attack would already be remarkable and impressive, Grange says. But it’s only the first of at least two more layers of command and control structure for the malware campaign.

In the second step, apps check a redundant list of hacked public blogs whose posts contain legitimate text at the top (presumably in order to avoid being de-listed by search engines or otherwise flagged) followed by long strings of encrypted code. The malware then decrypts the code, providing itself a list containing a second set of command and control websites.

These sites, the researchers found, are often compromised Web pages run on outdated content management software in Poland, Russia, and Germany. It’s at these second-tier websites that the malware then decodes its rapidly changing list of drop-zones for offloading the phone call recordings.

Earlier this year, Blue Coat also detected and studied a similar multilayered Windows-based attack that was carried out primarily in Russia. It began with an infected Microsoft Word document that then infected a PC, causing it to follow an even more carefully guarded and circuitous route for receiving instructions. Subsequently infected PCs would first search a series of hacked cloud service accounts, which in turn would point to hacked embedded devices around the world (including wireless routers, satellite TV boxes and digital TV recording devices). Those compromised devices would in turn point back to virtual private networks that contained the instructions for the malware.

Disassembling the infected code, Grange says, led security researchers to multiple conflicting conclusions about its authors. One piece of the infected Android app contained the Hindi character for "error." Several of the infected blog profiles have set their location to Iran. Many infected home routers are in South Korea. Text strings in the Blackberry malware are in Arabic. Another contained the comment “God_Save_The_Queen.”

It was the many layers of red herrings and command and control, Grange says, that inspired Blue Coat to call the original (Russian) malware “Inception,” in homage to the 2010 thriller that contains onion-like layers of story to be peeled away. Blue Coat hasn't explicitly named the smartphone cyberespionage attack, though they strongly suspect it's either by the same hackers or strongly inspired by the "Inception" malware.

“These people are going to great lengths to protect who they are,” he says. “We’ve seen [attackers] use the cloud. But we’ve never seen routers, and we’ve never seen anyone use cloud, router, and private services to hide their identity.”

Grange says the smokescreens have worked so far; he has yet to establish any solid leads on who could have conducted these sophisticated attacks. Yet the lessons learned from the attacks, he said, are not nearly as mysterious. Among them:

• Don’t click links in your e-mail browser—especially in any e-mail from an unknown user, or strange e-mails from known users.

• Don’t root your phone. Because the iPhone, for instance, doesn’t allow for updates outside of the iTunes store, Inception wouldn’t work on a non-rooted iPhone.

• Only update mobile apps through your trusted app store (e.g. iTunes or Google Play).

• Always change the default passwords (“admin,” “password,” etc.) for your household devices.

“We probably haven’t seen the end of these guys,” Grange says. “I’m sure they’ll come back. It’s just a matter of how long have we set them back—and what will be their new toys when they come back.”

The Conversation (0)

Why the Internet Needs the InterPlanetary File System

Peer-to-peer file sharing would make the Internet far more efficient

12 min read
Horizontal
An illustration of a series
Carl De Torres
LightBlue

When the COVID-19 pandemic erupted in early 2020, the world made an unprecedented shift to remote work. As a precaution, some Internet providers scaled back service levels temporarily, although that probably wasn’t necessary for countries in Asia, Europe, and North America, which were generally able to cope with the surge in demand caused by people teleworking (and binge-watching Netflix). That’s because most of their networks were overprovisioned, with more capacity than they usually need. But in countries without the same level of investment in network infrastructure, the picture was less rosy: Internet service providers (ISPs) in South Africa and Venezuela, for instance, reported significant strain.

But is overprovisioning the only way to ensure resilience? We don’t think so. To understand the alternative approach we’re championing, though, you first need to recall how the Internet works.

Keep Reading ↓Show less