ViperRAT was first identified in July 2015 targeting the Android devices of over 100 Israeli servicemen from the Israeli Defense Force (IDF). ViperRAT allows the attacker to access general data about the device, SMS messages, WhatsApp database and encryption keys, browsing and search histories, documents and archives found in storage, and photos taken. It auto captures while on a call, grabs the list of contacts and call logs, record calls and eavesdrops, and it can update itself. It infects the victim’s device through social engineering tactics, using social networks to coerce the victim to sharing confidential information and downloading the malicious application. The attackers pose as young women and build a rapport with the victim, and then instruct them to install an app for better communication. The app is a weaponized version of a seemingly legitimate application. The application installs a dropper as a regular APK, asks for permissions, and then the dropper downloads a custom payload based on the user’s existing apps, pretending to update one of them. The payload receives commands from the C2 server and sends the results to a staging server. According to Lookout, of the identified 8,929 files exfiltrated from compromised devices, 97 percent were likely encrypted images taken using the device camera. Researchers also observed commands issued to search for an exfiltrate PDF and Office documents. Most of the targeted Israeli servicemen were serving around the Gaza strip at the time of infection. This campaign is still active as of February 2017.
- February 2017: ViperRAT: The Mobile APT Targeting the Israeli Defense Force that Should be on Your Radar. (Lookout)
- April 2018: Two chat apps available on the Google Play Store contain malware belonging to the ViperRAT family. (Lookout)
- Kaspersky Labs provides technical detail on the ViperRAT, here.