Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
ViceLeaker Operation: mobile espionage targeting Middle East
ViceLeaker Operation: mobile espionage targeting Middle East
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 15,937
Threads: 10,175
Thanks Received: 9,307 in 7,453 posts
Thanks Given: 10,238
Joined: 12 September 18
#1
Exclamation  28 June 19, 05:43 (This post was last modified: 28 June 19, 05:47 by harlan4096.)
Quote:
[Image: fanning-the-flames-viceleaker-operation-5.png]

In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file, we quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original code of the application. This was an original spyware program, designed to exfiltrate almost all accessible information.

During the course of our research, we noticed that we were not the only ones to have found the operation. Researchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something had already been published, we decided to do something different with the data we acquired. The following month, we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples. We decided to call the operation “ViceLeaker”, because of strings and variables in its code.

Mobile ViceLeaker

The following table shows meta information on the observed samples, including compiler timestamps:

MD5 Package Compiler C2
51df2597faa3fce38a4c5ae024f97b1c com.xapps.SexGameForAdults dexlib 2.x 188.165.28[.]251
2d108ff3a735dea1d1fdfa430f37fab2 com.psiphon3 dexlib 2.x 188.165.49[.]205
7ed754a802f0b6a1740a99683173db73 com.psiphon3 dexlib 2.x 188.165.49[.]205
3b89e5cd49c05ce6dc681589e6c368d9 ir.abed.dastan dexlib 2.x 185.141.60[.]213

To backdoor legitimate applications, attackers used a Smali injection technique – a type of injection that allows attackers to disassemble the code of original app with the Baksmali tool, add their malicious code, and assemble it with Smali. As a result, due to such an unusual compilation process, there were signs in the dex file that point to dexlib, a library used by the Smali tool to assemble dex files.
Continue Reading
[-] The following 2 users say Thank You to harlan4096 for this post:
  • dhruv2193, silversurfer
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Android Security Bulletin—March 2026
Android Security B...harlan4096 — 11:13
Qualcomm unveils Wi-Fi 8 chip designed t...
Qualcomm has commi...harlan4096 — 11:10
Adobe Acrobat Reader DC 2025.001.21265
Adobe Acrobat Read...harlan4096 — 11:07
uBOLite 2026.301.2014 (already released ...
uBOLite 2026.301.2...harlan4096 — 11:06
NVIDIA GeForce Game Ready 595.71 driver
Highlights  Gam...harlan4096 — 11:05

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (44)gapedDow
avatar (38)snorydar
avatar (43)Hectorvot
avatar (51)knowhanPluts
avatar (39)Williamengiz
avatar (46)qaqapeti
avatar (44)battsourIonix
avatar (43)CedricSek
avatar (39)chasRex
avatar (43)slavrProck
avatar (45)Tyesharaike
avatar (49)TomeRerla
avatar (45)walllMIZ
avatar (41)oconyho
avatar (33)uteluxix
avatar (47)piafcflene
avatar (39)Matthewkah
avatar (51)tersfargum
avatar (50)alfreExept
avatar (38)Charlesfibre
avatar (42)napasvem
avatar (44)diploJeoca
avatar (38)francisnj3
avatar (43)artmaGoork
avatar (45)tukraNax
avatar (41)RichardCisee
avatar (40)ebenofit
avatar (38)ykazawu
avatar (41)ARYsahulatbazar

[-]
Online Staff
There are no staff members currently online.

>