Israeli soldiers using Android devices have fallen victim to a malware attack by terror group Hamas. The Israeli army claims that it had now stopped the attack but not before several hundred phones were infected. This is just the latest salvo in the ongoing cyber war between Hamas and the Israeli military.
Technical details of the attack were released by researchers at Checkpoint Software. They attributed the attack to APT-C-23, a group that has a long history of cyber attacks and not just against Israel. Two years ago, another Checkpoint researcher, Aseel Kayal revealed the group was targeting the Palestinian Authority.
How did the attack work?
The attack was simple. Select soldiers on deployment and then target them using fake profiles of young women across social media. Hamas targeted Israeli soldiers via platforms such as Facebook, WhatsApp, Instagram and even the encrypted message platform Telegram.
Soldier’s chatting with the fake profiles were asked to download one of three dating apps. Checkpoint has named these as GrixyApp, ZatuApp and Catch&See. All of the apps were Mobile Remote Access Trojans (MRATs) which meant that once installed, Hamas would have access to the device.
The first time the user executes the app it displays an error message. This tells the user that the app is incompatible with their device and will uninstall itself. What it actually does is just delete the app icon. The malware grabs an initial data dump from the phone which includes:
- All the details of the device.
- A list of installed apps.
- Photos.
- SMS messages.
- Contacts.
- Location data.
- Browser history.
- Calendar.
- Access to both device camera and microphone.
If left on the device, the malware regularly updates the data it sends to the C&C server used by Hamas. Access to location data, camera and microphone is a serious threat. It would allow Hamas to track troop movements and then know what the soldier was doing at any given moment in time. This would allow Hamas to plan attacks and avoid any action against its members.
Enterprise Times: What does this mean?
Military chiefs are slowly coming to terms with the cyber threat against individuals under their command. We’ve have multiple stories looking at how location and tracking data from fitness apps reveals the layout of military bases. That data also shows running and cycling routes and where personnel live.
The attack also demonstrates the problem of securing mobile devices. As the Checkpoint researchers noted: “This campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android eco-system. It requires attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time.”
This latest attack is different but should still not have happened. What is surprising about this attack is how many Israeli soldiers were fooled into installing the Hamas apps. For a country with such a high profile presence in the cybersecurity arena it is easy to forget that people are always the weakest links. One of the outcomes of this attack will be, hopefully, a thorough review by the IDF as to the cybersecurity training it gives troops.