Hackers Impersonate Secure Messaging Apps to Deploy ProSpy in Middle East Espionage Attacks

Since at least 2022, a targeted mobile spying campaign has been going on in the Middle East without anyone knowing This article explores indian government malware. . The campaign uses fake versions of secure messaging apps that many people trust to put a powerful Android spyware called ProSpy on victims' devices.

Lookout Threat Intelligence analysts think this campaign is probably a hack-for-hire operation linked to BITTER APT (T-APT-17), a threat actor who is thought to have ties to the Indian government. Malware collects contacts, SMS messages, device information, and scans local storage for images, audio, video, documents, and archive files before sending everything to servers controlled by the attacker without anyone knowing. People in the Mideast who are part of civil society, journalists, and activists should not download apps from places other than official app stores and should be careful with links that come from trusted contacts.

Organizations that help people who are at risk should promote the use of mobile threat detection tools and teach users about the dangers of installing apps from unverified sources on a regular basis. The malware script is written in Kotlin and follows an object-oriented design. It has separate worker classes that are each responsible for collecting certain types of data.

One user clicked on a link that took them to a fake ToTok app update page because the invitation was misleading. When the user clicked through, this site automatically downloaded an APK with malware. The landing page was in both English and Arabic, which suggests that the attacks were aimed at Arabic speakers. Signal and Botim also set up staging sites that were similar to each other and meant to surprise users.

Once you install Pro Spy, it uses Retrofit to connect to its command-and-control server. It can take up to ten commands, which can be documents, contact lists, SMS messages, images, and video files. The team had a fair amount of confidence that an organization or BITTERAPT itself was hired by unknown people to spy on civil society targets in the MENA region.

This was the first time that BITTER-linked activity had been documented in this area.