ZooPark reaches its fourth generation with new capabilities

May 7, 2018 09:34 GMT  ·  By
ZooPark was first discovered in mid-2015 and is now at its fourth generation
   ZooPark was first discovered in mid-2015 and is now at its fourth generation

An updated version of ZooPark, a sophisticated form of malware targeting Android devices since mid-2015, has been spotted in the wild with new capabilities, including extracting any type of data from infected phones.

And in-depth analysis published by Russian security vendor Kaspersky shows that ZooPark powers cyberespionage campaigns aimed at targets in the Middle East region, and its fourth generation brings functionality to facilitate data extraction and backdoor features.

ZooPark mostly spreads through Telegram channels and hacked news websites that direct targets to links where malicious APK files are hosted.

Kaspersky says there’s a chance the malware was developed by a state actor. ZooPark can do anything from collecting information on contacts, call logs, GPS location, text messages, and accounts, to analyzing installed apps, browser history, photos, and clipboard data.

Additionally, the malware can make calls, send SMS messages, and power shell commands execution. It can also take screenshots and provide the author with access to videos and audio files.

Manual install required for successful attack

The Russian security company says the attacks have mostly been based on themes like “Kurdistan referendum”, “TelegramGroups” and “Alnaharegypt news,” and most targets were located in Egypt, Jordan, Morocco, Lebanon, and Iran.

“The latest version may have been bought from vendors of specialist surveillance tools. That wouldn’t be surprising, as the market for these espionage tools is growing, becoming popular among governments, with several known cases in the Middle East. Also, choosing mobile platforms for espionage campaigns is just a natural evolutionary step. At this point, we cannot confirm attribution to any known actor,” Kaspersky explains in the analysis (PDF document).

As it’s the case of most malware attacks on Android, ZooPark requires the user to manually install the compromised file on the device. This means that staying away from APK files coming from untrusted sources is the easiest way to remain protected.