A Secret Hacking Group Is Using Android Malware to Spy on Thousands of People in 21 Countries, Research Finds

Image: Lookout/EFF
Image: Lookout/EFF

A shadowy hacking campaign has been operating out of a Beirut building owned by the Lebanese General Directorate of General Security for the last six years, stealing text messages, call logs, and files from journalists, military members, corporations, and other targets in 21 countries, according to a joint report released today by cybersecurity firm Lookout and digital civil rights group the Electronic Frontier Foundation.

The hacking group, nicknamed Dark Caracal by Lookout and the EFF, uses custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp to steal text messages—including two-factor authentication codes—and other data from targets’ mobile devices, the researchers found. Dark Caracal’s malware also let the group activate a phone’s front and back cameras as well as its microphone to surreptitiously photograph or record a target. In addition to its own custom malware, Dark Caracal also used FinFisher software—a surveillance tool that is often marketed to law enforcement and government agencies.

“Dark Caracal has successfully run numerous campaigns in parallel and we know that the data we have observed is only a small fraction of the total activity,” EFF and Lookout said in their report.


The researchers traced Dark Caracal’s activity to the building controlled by the GDGS, one of Lebanon’s intelligence agencies, by tracking down devices that Dark Caracal used to test its malware. Lookout and the EFF found that the test devices appeared to be clustered in the Beirut building. “Based on the available evidence, it is likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal,” the researchers said.

Lookout and the EFF observed infrastructure used by Dark Caracal starting in July 2017 and determined that the group was running six unique campaigns, some of which they found had been ongoing for years. Dark Caracal’s surveillance netted a wide range of targets, the researchers discovered. “We have identified members of the military, government officials, medical practitioners, education professionals, academics, civilians from numerous other fields, and commercial enterprises as targets,” they said. Victims are located around the world, including in China, the United States, India, and Russia.

By piecing together a target’s text messages, browsing history, call logs, and location data, Dark Caracal could gain an intimate look into the person’s life. The group also used Windows malware to collect screenshots and files from desktop computers. By sending out phishing messages on Facebook and WhatsApp, Dark Caracal was able to direct its victims to install apps containing its malware.

“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” Cooper Quintin, EFF’s staff technologist, said in a statement. “This research shows it’s not difficult to create a strategy allowing people and governments spy to on targets around the world.”


Kate Conger is a senior reporter at Gizmodo.

Share This Story

Get our `newsletter`


You’d think that the people these exploits have targeted would be tech savvy enough to understand basic web security. Downloading an app from an unsolicited fishing email? Really?