Researchers discover state actor’s mobile malware efforts because of YOLO OPSEC

Enlarge / A nation-state's hacking operations were exposed by WhatsApp and other communications uploaded from their own phones during malware testing, Lookout researchers revealed on January 19 at the Shmoocon security conference in Washington, DC. (credit: Lujuan Peng / EyeEm via GettyImages)
WASHINGTON, DC —At the Shmoocon security conference here on January 19, two researchers from the mobile security provider Lookout revealed the first details of a mobile surveillance effort run by a yet-to-be-named state intelligence agency that they had discovered by exploring the command-and-control infrastructure behind a novel piece of mobile malware.
In the process of exploring the malware’s infrastructure, Lookout researchers found iOS, Android, and Windows versions of the malware, as well as data uploaded from a targeted phone’s WhatsApp data. That phone turned out to be one that belonged to one of the state-backed surveillance efforts—and the WhatsApp messages and other data found on the server provided a nearly full contact list for the actors and details of their interactions with commercial hacking companies and eventual decision to build their own malware.
Lookout has not revealed the country behind the malware, as the highly targeted collection campaign is still active, and exposing it would burn the company’s ability to block the malware and continue to collect intelligence about the organization. Lookout’s Andrew Blaich and Michael Flossman, who presented the findings at Shmoocon, have provided some of the details they have obtained in a blog post, however—and they provide a fascinating look at how a reasonably well-funded, state-sponsored, intelligence-gathering operation works.
Read 6 remaining paragraphs | Comments