ZooPark is an Android malware discovered that has been part of a cyberespionage operation since 2015, focusing on Middle Eastern targets. Since its initial distribution, the malware has gone through four different updates, each time adding more spyware features. ZooPark's distribution method has been narrowed down to two different vectors: using malicious links in Telegram channels to get victims to download APK files and watering hole attacks where popular sites are inserted with malicious APK’s that download when a victim visits that website. The spyware capabilities of ZooPark have evolved from exfiltration of contacts and accounts, to extracting call logs, messages, browser data, silently making audio calls, stealing usernames and passwords, and the ability to capture photos and screenshots. Although this campaign has been going on since 2015, only a low number if infections have been noticed, indicating that victims have been specifically targeted by the threat actors.

Technical Details

  • Kaspersky Labs provides technical analysis of ZooPark, here.