Researchers identified a malicious code disguised in the Signal messaging app by the Bitter APT group to target users with Android spyware called Dracarys. The new threat vector came to light when Facebook’s parent company released its Q2 2022 adversarial risk report on cyber espionage. Cyber-intelligence firm, Cyble reported a trojanized model of the Signal messaging app in a technical report detailing Dracarys. According to the Cyble Report, “The Bitter APT is actively involved in both desktop and mobile malware campaigns and uses techniques like spear phishing emails, exploiting known vulnerabilities to deliver Remote Access Trojan (RAT) and other malware families.” Attackers used legitimate-looking apps and app stores to target users in India, Pakistan, New Zealand, and the United Kingdom.
Using trojanized dropper apps, the miscreants sent Dracarys under the guise of available channels such as Signal, Telegram, YouTube, and WhatsApp. Dracarys accessed sensitive information, including files, call logs, SMS, contact, and GPS location. The malware comes with the capacity to steal data from the victim’s device with access to their microphone-activation capabilities.
The attacks surpassed detection and blocking as broken links and images with phishing links were sent on chat, making the users type the link on the browser, leading to a successful attack. Due to the permissions requested while downloading infected apps, the attackers could make calls and access the entire storage, including the camera of the victim’s device.
Furthermore, Dracarys can cause damage without the user’s knowledge by auto-granting permissions, clicking on the screen and functioning in the background even when the user is not using the app. Taking screenshots and transferring the same to the attackers is another harmful capability of the adware. The same pattern as noted by Cyble was, “hxxps://signal-premium-app[.]org.”
According to the Cyble’s report, because the supply code of the apps used to convince victims was open supply, the Bitter APT hacking group had more access to model their attack based on anticipated behavior and standard options. According to reports, links showed attractive women to lure victims into opening phishing links. This would deploy the malware on their systems. Moreover, an open channel, ‘Apple TestFlight’, was used to convince users to download and install their ‘iOS chat application.’
