Researchers have discovered more details on the newly discovered Android spyware ‘Dracarys,’ used by the Bitter APT group in cyberespionage operations targeting users from New Zealand, India, Pakistan, and the United Kingdom.
Meta (Facebook) first reported the new Android malware in its Q2 2022 adversarial threat report, where they briefly mentioned its data-stealing, geo-locating, and microphone-activation capabilities.
Today, cyber-intelligence firm Cyble published a technical report on Dracarys, which was shared exclusively with Bleeping Computer, diving deeper into the inner workings of the spyware.
Using Signal to deploy malware
While Meta mentions laced versions of Telegram, WhatsApp, and YouTube, Cyble’s investigation only uncovered a trojanized version of the Signal messaging app.
The hacking group delivered the app to victims via a phishing page made to appear as a genuine Signal download portal, using the domain “signalpremium[.]com,” as shown below.
The fake Signal website that distributes malware (Cyble)
As Signal’s source code is open source, the Bitter APT hacking group was able to compile a version with all of the usual features and expected functionality. However, the threat actors also added the Dracarys malware to the source code when compiling the messaging app.
Code comparison between clean Signal and trojanized version (Cyble)
The permissions requested upon installation of the malware include access to the phone’s contact list, SMS, access to the camera and microphone, read and write storage, make calls, and access to the device’s precise location.
Even if risky, these permissions are somewhat typical for chat applications, so the request is unlikely to raise suspicions.
Dracarys also abuses the Accessibility Service to auto-grant additional permissions and continue running in the background even if the user closes the Signal app, raising its privileges and “clicking” on the screen without user interaction.
Dracarys steals your data
When launched, Dracarys will connect to a Firebase server to receive commands on what data should be collected from the device.
The data that Dracarys can collect and transmit to the C2 server include the following:
- Contact list
- SMS data
- Call logs
- Installed applications list
- GPS position
Finally, the spyware can capture screenshots from the device, record audio, and upload the media to the C2, which in the sample analyzed by Cyble was “hxxps://signal-premium-app[.]org”.
Screenshot and audio recorder functions (Cyble)
How to stay safe
Always be wary of suggestions to download safe/secure chat applications, and when you are about to download one, make sure to use the official Google Play Store rather than a third-party site.
When installing a new application on your device, pay attention to the requested permissions and regularly monitor battery and internet data consumption to uncover any processes running in the background.
Using social engineering to impersonate legitimate companies and people is rampant despite Meta’s efforts to discover and block fake accounts, so hacking groups like Bitter APT are bound to continue to utilize new accounts to convince users to install their malware.