Malware Turns Smartphone Into Eavesdropper

I read an interesting article on Naked Security the other day about how Hamas had used Facebook and social engineering tactics to trick Israeli soldiers into installing surveillance malware.  The malware allowed Hamas to track the soldiers using the phone’s GPS, and to turn on the microphone and video to actually listen in and and watch their targets.  Hamas undoubtedly picked up the malware on the Dark Web.  I guess this is a new tactic in cyber-warfare.  You can read about this on Naked Security or the Israeli Defense Force (IDF) blog.

This got me thinking about how a cyber-criminal or cyber-stalker might use similar tools to find, track, and eavesdrop on their victims.  It turns out it is quite simple, and in some cases the attacker does not even need access to your phone.  They just need a ploy to get you to download and install the app for them.

In the case of the IDF, Hamas was using fake Facebook profiles of pretty young women to open a dialog with the soldiers.  Once she had them chatting, she would send them pictures of her at the beach or other provocative selfies.  With the hook set, she would convince them to download a video chat app so they could chat live.  She sent them a link to a third party app store called “apkpkg.com” to download “Wowo Messenger.”  The video chat app allowed Hamas to see everything stored on the phone, read and send emails from the soldier’s account, track them via GPS, and turn on the microphone and camera to listen and observe what was going on in the immediate proximity.

There are companies selling legitimate software application that do the same thing, and more. We have links to a couple of them below.

This method would work pretty well on the average smartphone owner, too.  Using social engineering techniques to spark an online romance via Facebook or a dating website would be a pretty easy thing to accomplish.  Besides stealing all the phone information and tracking and eavesdropping on the target, they could also be set up for a good old financial scam, where the victim is lured into sending or lending money to the perpetrator.

You can protect yourself from the app download by avoiding third party app stores.  Sticking with the Apple Store or Google Play are the safe bet.  And remember, anyone who has access to our phone could install one of the more powerful commercial apps.  As far as the romantic social engineering approach, you just have to be on your guard.  If your new romance is progressing rapidly, they profess immediate deep feelings of love, and then are asking for money, there is a safe bet this is a scam.

More Information:

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment