Israeli troops
An Israeli soldier gestures at the scene of a stabbing attack near Arroub refugee camp near the West Bank city of Hebron on 18 July, 2016 REUTERS/Mussa Qawasma

A mysterious cyber-espionage campaign is actively targeting Android smartphones used by soldiers of the Israel Defense Forces (IDF), using a mixture of honeypot-style social engineering and stealthy malware to snoop on calls, texts, web browsing and more.

Two separate research papers, from Kaspersky Lab and Lookout, reveals that over 100 Israeli military personnel have been targeted in the operation since mid-2016. Worryingly, researchers say the campaign is not only still active but is highly likely to escalate further.

The hackers behind the operation, whose identites remain a mystery, are known to use sexual advances from fake female social media profiles to encourage military personnel to click malware-ridden links to spread an exploit now dubbed "ViperRat".

The IDF has obtained a list of the targets, which includes "servicemen of different ranks, most of them serving around the Gaza strip". It said the aim of the attack was to steal military data, including location and tactics.

Michael Flossman, a security researcher at Lookout, said his firm discovered live, misconfigured servers that were being used to manage the attacks. "The structure of the 'surveillanceware' indicates it is very sophisticated," he said.

He continued: "The type of information stolen could let an attacker know where a person is, with whom they are associated, the messages they are sending, the websites they visit and [...] myriad of images including anything at which the device's camera is pointed."

And the hackers appear to be particularly interested in images taken on the infected smartphones. "We were able to identify that 8,929 files had been exfiltrated from compromised devices and that the overwhelming majority of these, 97%, were highly likely encrypted images taken using the device camera," he noted.

Both Lookout and Kaspersky were able to identify a number of infected Android applications that are spreading ViperRat, including a billiards game and an Israeli Love Songs player. The latter coincides well with the social engineering tricks of using online honeypots to lure victims.

In January 2017, the New York Times revealed a strikingly similar operation, indicating the cybersecurity firm's research is an extension of the same cyber-op. The IDF previously spoke out about its personnel being hit, blaming the espionage on Hamas.

Keyboard typing
The structure of the ‘surveillanceware’ indicates it is very sophisticated, researchers warned iStock

A spokesman said at the time: "[The culprit] has opened dozens of fake profiles, each with their own names and pictures that they find through stealing the identities of unsuspecting civilians.

"After some back and forth, the operative sends him a few pictures, mirror shots and beach portraits, to prove that she's real, and asks him if he'd like to video chat, but all the apps he has won't work for her – she needs him to download another one.

"They find social media accounts by browsing through selfies, tags, and posts, and target them. This time, their weapon isn't a bomb, gun, or vehicle. It's a simple friend request."

Lookout believes Hamas may not be behind the hack, instead arguing its capabilities outmatch their known skill set. "Hamas is not widely known for having a sophisticated mobile capability, which makes it unlikely they are directly responsible for ViperRat," Flossman wrote.

He added: "[The malware] has been operational for quite some time, with what appears to be a test application that surfaced in late 2015. Many of the default strings in the app are in Arabic, including the name. This leads us to believe this is another actor."

Kaspersky Lab researchers believe this is only the "opening shot" of the clandestine operation. "It is by definition a targeted attack against the Israeli Defense Force," warned Ido Naor, an expert probing the malware alongside the IDF's Information Security unit known as C4I.