Kaspersky Lab has released an announcement and report of a “sophisticated cyberespionage campaign” that goes by the name ZooPark.
The malware has been targeting Android device users based in Middle Eastern countries for years and appears to be a “nation-state backed operation aimed at political organizations, activists and other targets based in the region,” according to the internet security company.
Disguised as legitimate apps, ZooPark was being distributed from news and political websites popular in the region. One of the vectors was Telegram, the popular messaging app with end-to-end encryption, which has just been banned in Iran for “being used to coordinate illegal activity,” according to the Islamic Republic News Agency.
The announcement lists the information that the malware provides the attacker, including everything from contacts to account data, GPS location, SMS messages and more. There is also a backdoor function that allows for silently sending SMS messages and making calls as well as the execution of shell commands.
Researchers at Kaspersky Lab first confused the malware for a simple cyberespionage tool. However upon further investigation they discovered a recent and sophisticated version of the app, which they decided to call ZooPark. They have been able to identify at least four generations of malware related to the ZooPark family dating back to at least 2015.
“This last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware,” the Kaspersky report concludes. “This suggests the latest version may have been bought from vendors of specialist surveillance tools.”
Kaspersky Lab also suggests that the attackers are focusing the malware on users based in Eygpt, Jordan, Morocco, Lebanon and Iran. Kaspersky malware analyst Alexey Firsh told CyberScoop in an email that fewer than 100 targets had been observed.
“This and other clues indicates that the targets are specifically selected,” Firsh said.
The global cybersecurity company did not reveal the identities of the malware victims. They do, however, claim that their products successfully detect and block this threat.