A security bug that has infected thousands of smartphones has been uncovered by campaign group the Electronic Frontier Foundation (EFF).
Working with the mobile security firm Lookout, researchers discovered that a piece of malware in fake messaging designed to look like WhatsApp and Signal had stolen gigabytes of data from users.
Targets included military personnel, activists, journalists and lawyers.
Researchers say they traced the malware to a Lebanese government building.
The threat, dubbed Dark Caracal by the researchers, seems to have come from a nation state and appears to use shared infrastructure linked to other nation-state hackers, the report said.
The malware takes advantage of known security exploits and predominantly targets Android phones.
The Data trail traced back to a server in a building belonging to the Lebanese General Security Directorate in Beirut, according to researchers.
“Based on the available evidence, it is likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal,” the report said.
“People in the US, Canada, Germany, Lebanon, and France have been hit by the Dark Caracal Malware. Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos,” said EFF director of cybersecurity Eva Galperin.
“This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”
Mike Murray, vice-president of security intelligence at Lookout also said: “Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional advanced persistent threat actors are moving toward using mobile as a primary target platform.”
In a statement published on the Lookout blog, Google said it was confident that the infected apps were not downloaded from its Play Store.
“Google has identified the apps associated with this actor, none of the apps were on the Google Play Store. Google Play Protect has been updated to protect user devices from these apps and is in the process of removing them from all affected devices.”
The researchers believe Dark Caracal has been operating since at least 2012 but it has been hard to track because of the diversity of seemingly unrelated espionage campaigns originating from the same domain names.
“Over the years Dark Caracal’s work has been repeatedly misattributed to other cybercrime groups” the researchers said.