Technology

Espionage campaign targeted Kurdish Android users: Security researchers

The espionage campaign duped Android smartphone users into downloading a program used by spies, which recorded their phone calls, extracted their files, and took screenshots.

Wladimir van Wilgenburg 2021/09/09 12:15

A person delivers a computer payload while working on a laptop, Jan. 22, 2019 in Lille, during the 11th International Cybersecurity Forum. (Photo: Philippe Huguen / AFP)

Kurdistan Espionage Hacking Cyberattack

ERBIL (Kurdistan 24) –A mobile phone espionage campaign has specifically targeted ethnic Kurds who use Android smartphones since March 2020, ESET researchers revealed on Tuesday.

The espionage campaign duped Android smartphone users into downloading a program used by spies, which recorded their phone calls, extracted their files, and took screenshots. At least 1,481 downloads were recorded from URLs promoted in just a few Facebook posts.

The BladeHawk espionage group uses Android spyware – 888 RAT and SpyNote – against the Kurdish ethnic group.
The campaign has been active since March 2020, with the spyware distributed through dedicated Facebook profiles. #ESETresearch @LukasStefanko https://t.co/ntTaIj07jl 1/4 pic.twitter.com/39874IZgNc
— ESET research (@ESETresearch) September 7, 2021

This campaign has been active since at least March 2020, distributing (via dedicated Facebook profiles) two Android backdoors, known as 888 RAT and SpyNote, disguised as legitimate apps, ESET researchers say.

Some of the profiles deliberately spread additional spying apps to Facebook public groups with pro-Kurd content.

QiAnXin Threat Intelligence Center named the group behind these attacks BladeHawk. Both campaigns were distributed via Facebook, using malware built with commercial, automated tools (888 RAT and SpyNote), with all malware samples using the same C&C servers.

"We identified six Facebook profiles as part of this BladeHawk campaign, sharing these Android spying apps," ESET researchers said. "We reported these profiles to Facebook and they have all been taken down."

"Two of the profiles were aimed at tech users while the other four posed as Kurd supporters," they added. "All these profiles were created in 2020 and shortly after creation they started posting these fake apps. These accounts, except for one, have not posted any other content besides Android RATs masquerading as legitimate apps."

Most of the public Facebook groups were supporters of Masoud Barzani, former President of the Kurdistan Region.