Malicious Facebook password stealing apps found on Google play store. A global mobile espionage campaign that was in operation since 2012 was recently uncovered due to an exposed server on the open internet. This article not just unleashed such digital security threats but also advises the common digital users how to stay safe.
According to the researchers, the espionage group was linked with Lebanese General Directorate of General Security (GDGS) and was able to collect hundreds of gigabytes of data, including personally identifiable information and intellectual property, from thousands of victims in more than 21 different countries
The espionage group dubbed Dark Caracal have targeted military personnel, medical professionals, journalists, lawyers, activists and more. The data stolen by them include call records, documents, secure messaging client content, browsing history, contact information, photos, and location data – enough information to identify a person and closely monitor his/her life.
How It works?
As strange as it may sound, the hackers did not use any advanced ways to hack into their victim’s system. Instead, the hackers used basic social engineering techniques that include sending posts on Facebook groups and WhatsApp messages, encouraging users to visit a website controlled by the hackers and application permissions.
Once tricked into landing on the malicious websites, the victims were served fake updates to secure messenger apps, including WhatsApp, Signal, Threema Telegram, and Orbot (an open source Tor client for Android), which eventually downloaded the Dark Caracal malware, dubbed Pallas, on targets’ mobile devices.
Pallas is a malware that’s capable of taking photographs, stealing data, spying on communications apps, recording video and audio, acquiring location data, and stealing text messages, including two-factor authentication codes.
Experts Opion for Your Digital Security
Ankush Johar, Director at Infosec Ventures – an organisation that provides complete infrastructure security solutions for commercial and government clients of all sizes suggested that, in the modern era, mobile phones have become not only the most used digital equipment but a virtual organ of every user in the absence of which, most of us will have a hard time surviving.
“Your smartphone is basically a blueprint of you and your behaviours. It holds each an every detail of your day to day activity, be it access to your social media account, the log of places you’ve been and regularly visit, people in your life, how important they are or even your extremely personal information such as your identification tokens like biometrics and private conversations and digital media. it’s all there,” says Johar.
Humans are the weakest link in cybersecurity and hackers know that. Hence, it’s not the first time when cyber criminals have leveraged social engineering tactics to infiltrate into personal/professional lives. “Your security is in your own hands and you should be cautious with which messages, websites, emails and phone calls you trust,” he said.
If a hacker manages to gain access of the device he/she can access your messages, photographs, documents, contacts, email, social media accounts, mobile wallets, bank account details the log of places you’ve been – in short, everything that if misused can destroy you financially as well as socially.
Tips to stay Safe!
Here are some following tips that should help you keep your mobile device secure :
Always check what all permission the app requires the users to allow before installation. Stay cautious with permissions that don’t seem legitimate, for instance, if a calculator app wants to access your call logs or messages it is clear that the app wants unnecessary permission and can be malicious. Trust your gut!
Don’t download apps from unknown sources, they can be infected with data-stealing malware hidden behind a genuine looking app. Stay away from pirated apps too as they are the main source of malware.
Do not enter your confidential information like bank account details, personal identifiers, OTPs, passwords etc. on arbitrary applications. Carefully verify that the application is what it is claiming to be before entering any data into it.
For added security, set your app store settings to “Do not allow third-party app downloads from untrusted sites.”
Check the number of download before installing, if the number is less than 50,000, it might not be completely safe and legitimate.
Check the reviews and ratings given by others users who have installed the application. If the ratings are unsatisfactory it is not preferable to download the app.
Think Before you click! Your security is in your own hands, if you feel something seems phishy, go with your gut and stay away from it.