Hackers pushing nation-state-style surveillance malware recently scored a major coup by getting three advanced malicious applications hosted in Google’s official Play marketplace, researchers said.
The mAPTs, short for mobile advanced persistent threats, likely came from two separate groups that both target people in the Middle East, Michael Flossman, head of threat intelligence at mobile security company Lookout, told Ars. The three apps combined received from about 650 to 1,250 downloads, according to Google Play figures. All three of them gave attackers considerable control over infected phones.
The apps—two from a family known as ViperRat and the third from the Desert Scorpion family—represent one of the few known times mAPTs have been found in the official Google market. The attackers’ success is largely the result of a modular design where malicious functionality isn’t part of the initial version first downloaded from the Play Store. Rather, the surveillance capabilities come in a second stage that’s downloaded later. Previously, both hacker groups relied largely on social engineering that tricked targets into downloading apps from third-party markets. The ability to get the apps hosted in Play is considered a win because it gives targets much more assurance the apps are legitimate.