Security researchers from Lookout have discovered two malicious samples of trojanized ViperRAT apps in Google Play Store, each disguised as custom chat apps. Hackers appear to have used the two Android apps to conduct highly targeted surveillance in the Middle East.
Lookout believes the actors behind the latest ViperRAT samples are the same actors who previously used phishing emails to target and trick Israeli Defense Force victims into downloading surveillanceware early last year.
The first app, VokaChat, was downloaded between 500 and 1,000 times. The second app, Chattak, only had 50 – 100 downloads. Both of the samples had the chat functionality fully implemented, a different feature than other samples observed by Lookout. Also, the command and control infrastructure for both samples remained active and even included Google’s privacy statement, as required from developers who publish to the Play Store. This helps make the malicious apps look legitimate.
The ViperRAT malware family is known as a mobile advanced persistent threat (mAPT).