Honey Trap Malware: Here Are The Hamas Dating Apps That Hacked Israeli Soldiers
Several hundred Israeli soldiers have had their mobile phones infected with malware sent by Hamas cyber militants. The “honey trap” operation used fake profiles of attractive women to entice soldiers into chatting over messaging platforms and ultimately downloading malicious malware. As detailed below, that malware was designed to return critical device info and also access key device functions, including the camera, microphone, contact information and messages.
Get started on your cybersecurity degree at American Military University.
This is the latest chapter in the ongoing cyber offensive conducted by Hamas against Israel. Last May, the Israeli military targeted the cyber militants with a missile strike in retaliation for their persistent offensives. That was seen as the first time a kinetic response had been authorised for a cyber attack.
This time around, the Israeli authorities have acknowledged that this Hamas cyber operation is more sophisticated than those that have gone before, albeit it was taken down by a joint IDF and Shin Bet (Israeli Intelligence) operation.
The Israeli Defense Forces confirmed that the attackers had messaged their soldiers on Facebook, Instagram, WhatsApp and Telegram, tricking them into downloading three separate dating apps hiding the dangerous malware. Although they assured that “no security damage” resulted from the operation, the breach is significant.
Cybersecurity firm Check Point, which has an extensive research capability in Israel, managed to obtain samples of all three apps used in the attack. The MRATs (mobile remote access trojans) were disguised as dating apps—GrixyApp, ZatuApp and Catch&See. Each app was supported with a website. Targets were encouraged to progress down the attack path by fake dating profiles and a string of photos of attractive women sent to their phones over popular messaging platforms.
The Check Point team explained to me that once a solider had clicked on the malicious link to install the malware, the phone would display an error message stating that “the device is not supported, the app will be uninstalled.” This was a ruse to disguise the fact that the malware was up and running with just its icon hidden.
And so to the dangers: According to Check Point, the malware collects key device information—IMSI and phone number, installed applications, storage information—which is all then returned to a command and control server managed by its handlers.
Much more dangerously, though, the apps also “register as a device admin” and request permission to access the device’s camera, calendar, location, SMS data, contact list and browser history. That is a serious level of compromise.
Check Point also found that “the malware has the ability to extend its code via downloading and executing remote .dex files. Once another .dex file is executed, it will inherit the permissions of the parent application.”
The official IDF spokesperson also confirmed that the apps “could compromise any military information that soldiers are near to, or are visible to their phones.”
Check Point’s researchers are cautiously attributing the attack to APT-C-23, which is active in the country and has form for attacks on the Palestinian Authority. This attribution, the team explained, is based on the use of spoofed websites to promote the malware apps, a NameCheap domain registration and the use of celebrity names within the operation itself.
Check Point’s lead researcher into the campaign told me “the amount of resources invested is huge. Think about this—for every solider targeted, a human responded with text and pictures.” And, as confirmed by IDF, there were hundreds of soldiers compromised and potentially many more targeted but not compromised. “Some victims,” the researcher explained, “even stated they were in contact, unknowingly, with the Hamas operator for a year.”
As ever these days, the social engineering involved in this level of targeted attack has evolved significantly. This offensive displayed a “higher quality level of social engineering” IDF confirmed. which included mimicking the language of relatively new immigrants to Israel and even hearing difficulties, all providing a ready explanation for the use of messages instead of video or voice calls.
Behind the attack there is also an increasing level of technical sophistication when compared to previous offensives. According to Check Point, the attackers “did not put all their eggs in the same basket. In second stage malware campaigns you usually see a dropper, followed by a payload—automatically.” So it’s like a one-click attack. This time, though, the operator manually sent the payload giving full flexibility on timing and a second-chance to target the victim or a separate victim.
“This attack campaign,” Check Point warns, “serves as a reminder that effort from system developers alone is not enough to build a secure Android eco-system. It requires attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time.”