Lebanese intelligence 'hacks smartphones' in mass spying operation

A report authored by digital rights group Electronic Frontier Foundation and mobile security firm Lookout detailed discovery of "a prolific actor" with nation-state capabilities "exploiting targets globally across multiple platforms."

The groups said that the agency in question, Lebanon's General Directorate of General Security, has undertaken over 10 spying campaigns since 2012 targeting Android users in 21 countries.

In the introduction to the report, the organisations issued a stark warning about the future of internet security. 

"As the modern threat landscape has evolved, so have the actors. The barrier to entry for cyber-warfare has continued to decrease, which means new nation states – previously without significant offensive capabilities – are now able to build and deploy widespread multi-platform cyber-espionage campaigns."

Desktop computers were also targeted, but getting into data-rich mobile devices was a primary objective of the scheme, becoming the first hack of its kind, according to the report.

All Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realising that they contained malware

The scheme managed to dupe targeted individuals into downloading fake versions of secure and encrypted messaging services like WhatsApp and Signal, in doing so enabling attackers to control the phones and using them to take pictures, capture audio, pinpoint locations, and mine handsets for private data.

EFF and Lookout researchers dubbed the threat "Dark Caracal" after a wild cat native to the Middle East.

People in the US, Canada, Germany, Lebanon, and France have been hit by Dark Caracal, according to EFF director of cybersecurity Eva Galperin.

"This is a very large, global campaign, focused on mobile devices," Galperin said.

"Mobile is the future of spying, because phones are full of so much data about a person's day-to-day life."

Hundreds of gigabytes of data have been taken from thousands of victims in more than 21 countries, according to Lookout and the EFF. However most of the targets were located in Lebanon and the surrounding region, including Syria and Saudi Arabia – two countries known for their authoritarian regimes and appalling human rights records.

There were indications that Dark Caracal might be an infrastructure hosting a number of widespread, global cyberespionage campaigns, some of which date back years, the report said.

The apps, available to download from a fake but legitimate-sounding Android app store called SecureAndroid, fool people into thinking they are genuine, and thus users give them access to cameras, microphones and data.

"All Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realising that they contained malware," said EFF staff technologist Cooper Quintin.

"This research shows it's not difficult to create a strategy allowing people and governments spy to on targets around the world."

Researchers reported that they tracked Dark Caracal to a building in Beirut belonging to the Lebanese General Security Directorate.

Not only was Dark Caracal able to cast its net wide, it was also able to gain deep insight into each of the victim's lives

The researchers discovered that many of the attacks were linked to one email address – op13@mail.com – which was also connected to several online personas, on of whom was named by researchers as Nancy Razzouk, curiously the name of a Lebanese TV journalist.

Analysis showed that devices of military personnel, businesses, journalists, lawyers, educators, and medical professionals have been compromised, according to the report.

"Not only was Dark Caracal able to cast its net wide, it was also able to gain deep insight into each of the victim's lives," the report concluded.

Cyber security professionals consistently warn people to be wary when downloading software, avoiding programmes shared through links or email and instead relying on trusted sources.