pixel_dreams - Fotolia

Avast discovers Tempting Cedar Android spyware campaign

Security researchers have uncovered a three-year-old Android spyware campaign spread through social media and targeting people in the Middle East

Cyber attackers have been running a spyware campaign since 2015 that has exploited social media and victims’ lack of security awareness, according to researchers at security firm Avast.

The spyware, dubbed Tempting Cedar, was disguised as Kik Messenger, a freeware instant messaging mobile app, and was designed to record conversations in range of the phone and to gather sensitive and private data from the devices.

This data included contacts, call logs, text messages, photos, device information and real-time location data, which the researchers said makes the malware “exceptionally dangerous”.

The malware was spread through fake Facebook profiles that appeared to belong to attractive young women who sent victims a link and encouraged them to download the fake Kik Messenger app to communicate on a “secure and private” platform instead of Facebook.  

The link took victims to a fake Kik Messenger site, which the researchers said was very convincing. Victims then downloaded the spyware, despite the fact that they had to alter their device setting to install apps from unknown sources, which should have alerted them that something was amiss.

The campaign underlines the effectiveness of social engineering techniques and the importance of user awareness in blocking attempts by cyber criminals to install malware.

Analysis of the spyware revealed that it had malicious modules in common with the Android package kits (APKs) used for the distribution and intallation of several other fake messenger apps.

Read more about spyware

Based on clues from the fake Facebook profiles and the campaign infrastructure, the researchers believe the highly targeted campaign was Lebanese in origin, although they note that it is always difficult to attribute persistent threat campaigns.

Although a small number of victims were from the US, France, Germany and China, the majority of victims were from the Middle East, most of them located in Israel.

Because of the potential impact on the victims targeted with the malware, Avast contacted law enforcement agencies to help with threat mitigation, including shutting down the fake Kik Messenger site.

To protect mobile devices against this kind of malware, Avast recommends that users:

  • Use antivirus software on their mobile devices.
  • Be wary when talking to strangers online.
  • Never open links or download software sent from untrusted sources.
  • Always download software by typing in the source URL rather than following a link.

Read more on Hackers and cybercrime prevention

Data Center
Data Management