Facebook: Cyber ​​spies trap mobiles with fake ‘bug’ versions of WhatsApp and Signal

By Thomas Brewster

A cyber espionage group – believed to be operating out of India and Pakistan – is tracking thousands of citizens through malware disguised as popular messaging apps, a new Facebook report reveals.

The report details the action of the Bitter APT group, which installs malware on Android devices via fake versions of the WhatsApp, Signal and Telegram apps, which have been widely used lately by Ukrainians as a means of disseminating information about the Russian invasion ( APT stands for “Advanced Persistent Threat” and is a designation usually given to state-sponsored hacker groups). Nicknamed “Dracarys”, found in the malware’s code and possibly a reference to Game of Thrones, the malware – as Facebook reports – can extract all kinds of information from an Android device, including call logs, contacts, files, text messages and geolocation data. It can also gain access to a device’s camera and microphone.

“Dracarys” has been spread across Meta’s social media – Facebook and Instagram – by hackers posing as attractive young women, journalists or activists, who convince their targets to download the fake app. Once the download is complete, “Dracarys” enlists accessibility “tools” used by disabled users to automatically click and grant device permissions, such as the camera.

According to Facebook, in this way the malware collects data from the phone and at the same time appears as an authentic application, breaking the defense of anti-virus systems. “Bitter was able to install malicious functionality in a way that went unnoticed by the security system for quite some time,” Facebook said in its report.

Forbes revealed about a year ago the connections between Bitter APT and the Indian government, when the group had the “tools” to hack into a US company’s Microsoft Windows. Meta would never say – even if it believed – that Bitter APT’s roots reach to India, but pointed out that the group operated out of South Asia, targeting citizens from New Zealand, India, Pakistan and the UK. Cisco’s Talos cybersecurity research team recently announced that Bitter APT has been conducting malicious attacks since 2013 against energy, engineering and government entities in China, Pakistan and Saudi Arabia.

Android was not the only target of the Bitter APT. Facebook has detected the fake profiles of cyber spies promoting links to download a chat app on iPhone. Hackers tried to get targets to download Apple’s Testflight service (for developers) and then install the chat app. By exploiting Testflight, hackers did not have to create an advanced iPhone hacking app, but simply relied on their social media “programming” prowess. Facebook was unable to determine whether this software actually contained malicious code, but estimated that it “may have been used in addition to a trapped chat medium.” Meta communicated the findings of its report to Apple, with the latter not yet commenting on the issue.

For Google’s part, a spokesperson made the following statement: “The malware on Android was not downloaded or distributed through the Play Store. All distribution domains have been blocked in Google Safe Browsing, and Android users who have installed these packages will receive a warning on their device”.

On Thursday, Facebook also announced that it had detected malicious activity by a Pakistani hacker group with a government background known as APT36. And it was creating Android spy tools disguised as apps including WhatsApp, Chinese social media WeChat and YouTube. The malware was essentially a modified version of a well-known Android tool, called XploitSPY, “originally developed by a group of self-described ‘ethical’ hackers in India.” It could spy on contacts, call lists and listen to citizens’ conversations through the device’s microphone. APT36 was found to be targeting people in Afghanistan, India, Pakistan, the United Arab Emirates and Saudi Arabia, “including military, government officials, employees of human rights organizations and other non-profit organizations, as well as students.”

Mike Dvilyanski, Facebook’s head of anti-cyber-espionage investigations, said Meta has identified 10,000 users in at least nine countries who may have been targeted by APT36 and Bitter APT and is in the process of alerting users directly through Facebook and Instagram . “If we think you may have come into contact with any of these groups, we want to warn you and tell you the tools you can use to secure your online presence,” he told Forbes.

Neither the Pakistani embassy nor the Indian embassy in London have so far responded to requests for comment on the above reports.