Researchers have discovered further information about the recently identified Android spyware called “Dracarys,” which the Bitter APT group employed in cyberespionage activities targeting individuals in the United Kingdom, India, Pakistan, and New Zealand.
The new Android virus was initially disclosed by Meta (Facebook), which briefly described its data-stealing, geo-locating, and microphone-activating capabilities in its Q2 2022 adversarial threat report.
A technical analysis on Dracarys that was provided only with Bleeping Computer today by cyber-intelligence company Cyble delves deeper into the spyware’s inner workings.
Malware deployment through Signal
While Meta specifies laced variants of Telegram, WhatsApp, and YouTube, Cyble’s inquiry only showed up a trojanized Signal chat software.
The hacker organization used a phishing page with the domain “signalpremium[.]com,” as demonstrated below, to trick people into downloading the software.
The Bitter APT hacking group was able to create a version of Signal with all the customary features and anticipated capabilities because the source code is open source. However, when the messaging app was assembled, the threat actors also included the Dracarys malware in the source code.
The malware asks for access to the phone’s contact list, SMS, camera, microphone, read-write storage, make calls, and access to the precise position of the device after it is installed.
These permissions are rather usual for chat applications, even though they are hazardous, thus the request is unlikely to trigger any red flags.
Additionally, Dracarys exploits the Accessibility Service to keep running in the background even after the user exits the Signal app, increasing its privileges and “clicking” on the screen without the user’s involvement.
Your data is stolen by Dracarys
Dracarys connects to a Firebase server when it is launched to obtain instructions for the data that should be gathered from the device.
The following information can be gathered by Dracarys and sent to the C2 server:
- Contact list
- SMS data
- Call logs
- Installed applications list
- Files
- GPS position
Finally, the spyware can take screenshots from the device, record audio, and upload the material to the C2, which in the Cyble-analyzed sample was “hxxps://signal-premium-app[.]org”.
Guidelines for safety
Always be cautious of advice to download safe/secure chat programs, and when you are going to do so, make sure to use the authorized Google Play Store rather than a third-party website.
Pay close attention to the permissions requested when installing new applications on your device, and keep an eye on your device’s battery and data usage to spot any background activities that may be active.
Hacking groups like Bitter APT will undoubtedly continue to use new accounts to persuade users to install their malware because social engineering, the practice of impersonating legitimate businesses and people, is widespread and cannot be stopped by Meta’s efforts to identify and block fake accounts.
