Kristin Del Rosso, a researcher with mobile cybersecurity firm Lookout, has associated the malware with over 30 rogue Android applications to date. The re- searchers have not yet associated the various corrupt apps with anynationstate backed actors but do note that the “use of these commercial surveillance- ware families has been observed in the past as part of the tooling used by nationstates in the Middle East.”
Researchers at Lookout tracked down the command and control server for the app and pivoted from there to find 30 other unique apps that all share the same infrastructure, suggesting a much larger surveillance campaign has been in progress for some time. The command and control domain appears to be hosted through the dynamic DNS provider No-IP and resolves several different addresses within the same range. The address space is operated by the Libyan Telecom and Technology internet service provider. The researchers at Lookout also noted that these apps were never available from the Google Playstore and that most instances are being downloaded from third-party sites.
Kristin Del Rosso also noted, “This surveillance campaign highlights how in times of crisis, our innate need to seek out information can be used against us for malicious ends. Furthermore, the commercialization of ‘off-the-shelf’ spyware kits makes it fairly easy for these malicious actors to spin up these bespoke campaigns almost as quickly as a crisis like COVID-19 takes hold.”