Isis followers fooled by fake app that spies on their calls and messages

When it comes to mobile malware, users may typically expect cybercriminals to go after details like social media credentials or bank account records. However, one malicious application has been uncovered that specifically targets terrorist sympathisers.

Uncovered by security researchers at Intel McAfee, the malicious Android-based software is a form of spyware that masquerades as a radio player application which promises – and provides – users with "radicalised propaganda."

However, alongside this content, it also makes those who install the application – titled Al Bayan Radio – "susceptible to cyber-surveillance" through their smartphones.

According to McAfee, it can operate undetected, intercept a victim's calls and messages, turn on the camera and microphone of the device and even access user location.

"The radio player performs its function without any characteristics that might arouse suspicion from users," McAfee researchers said. "However, once installed, the malicious services always run in the background, even if the user ceases to open and operate the app on a regular basis."

"[The app can] access user location, network connectivity information, read/write call history, read/write SMS, and even access SD memory to download or upload files in it," the researchers added. Currently, it is distributed via direct links on social media channels, including Twitter, and has allegedly been found to be infecting targets in the Middle East, Europe, and North America.

The accounts distributing the malware have since been suspended, but were previously tweeting under the profiles @farouk_112 and @farouk_113. While the software lacks a catchy codename, McAfee said it is a recognised Remote Access Tool (RAT) called "SandroRAT".

If a target's device is successfully compromised, this RAT can also gain enhanced permissions on Android smartphones and even be used to leak WhatsApp data, the researchers claimed.

Nation state or script kiddie?

It may be easy to jump to the conclusion the application was developed by law enforcement or a nation-state government interested in conducting surveillance on potential terrorists or sympathisers of groups like the Islamic State (Isis/Daesh) – but McAfee researchers say there are a number of viable culprits.

"The actor could be associated with the terrorist group, perhaps intending to gather information on social media followers with the intention of monitoring, qualifying, and attempting to recruit them into their ranks," the researchers elaborated.

"The actor could be associated with an unknown government's law enforcement or intelligence agencies. Such an entity might wish to monitor potential recruits subject to radicalisation, but the use of a common, off-the-shelf spyware component for cyber-surveillance probably suggests a less sophisticated state actor.

"A third possibility is that the actor could be a rival extremist or vigilante group intending to gather intelligence on the terrorist group's followers and potential recruits."

In any case, SandroRAT has been used to "weaponise" legitimate applications in the past. Previously, its developers have fooled users into downloading infected applications by posing as anti-virus software – including an official release by Russian cybersecurity firm Kaspersky Lab.

Meanwhile, the spread of terrorist propaganda, news and images has thrived in the age of social media. Groups like IS continue to plague platforms like Facebook, Twitter and Telegram with extremist material – a problem that is proving increasingly difficult to combat.