IDF soldiers

In a report published earlier this week, the Israeli military has accused Hamas cyber-operatives of attempting to lure Israel Defence Forces (IDF) soldiers into installing malware-infected apps on their phones.

The tactic isn't new, as Hamas has done so before in January, but this time around they managed to host the malware on the official Google Play Store, giving them more authenticity.

Israel-based cyber-security firm ClearSky has managed to identify the apps —two dating apps and one World Cup-related application.

WinkChat - com.winkchat.apk
GlanceLove - com.coder.glancelove.apk
Golden Cup -

Hamas used profiles of attractive women to lure soldiers

IDF officials say that just like in January, Hamas operatives created Facebook profiles with photos of attractive women to lure IDF soldiers into private conversations, and later have them install one of the apps.

In January, attackers used the profile of a woman named "Elianna Amer," while this time they used one for "Lina Kramer." IDF says Hamas operatives have used the Lina Kramer profile for at least three months.

"I got a message on Facebook that looked innocent at first, from someone named Lina Kramer, we started talking on Facebook, then we moved to Whatsapp, and then she asked me to download an app called GlanceLove," a former IDF soldier named L. explained.

"At this stage, my suspicion was final, and I decided to consult a friend who helped me understand that it was a fictitious profile with malicious intentions," L. said. "From there I turned to the information security officer in my unit who helped me."

Glance Love app

IDF officials said most soldiers caught on to the tactic and "there was no damage to Israel’s security." One reason may be that the femme fatale trick got a lot of media attention back in January in both local and international press, and most soldiers know about it by now.

But despite this, Israeli newspaper Haaretz reported that at least "hundreds" of soldiers were infected.

Arid Viper APT blamed for the operation

According to the IDF, the malware embedded in the three apps they uncovered this time could take over devices completely, take photos, record audio, find files, and send the acquired data to a remote server.

ClearSky experts say they've been tracking the Hamas group behind this attack for quite some time. In infosec circles, the group is known under the codename of Arid Viper. Kaspersky and the CIPProject have analyzed this group's activity in the past.

This is also the second time that an advanced persistent threat (APT), a term used to describe nation-state sponsored cyber-espionage groups, has been linked to Hamas, the Palestinian Sunni-Islamist fundamentalist organization.

Two years ago, ClearSky found links between Hamas and another APT named Gaza Cybergang, also known as the Gaza Hackers Team or Molerats. This first Hamas-linked APT had developed and used custom malware such as DownExecute, XtremeRAT, MoleRAT, or DustSky (NeD Worm).

UPDATE: After this article's publication, Check Point, another Israel-based cyber-security firm, published a report detailing the capabilities of the spyware embedded in the Golden Cup app.

UPDATE, July 12: McAfee has also published an analysis of the Golden Cup app.

Related Articles:

Seedworm Spy Gang Stores Malware on GitHub, Keeps Up with Infosec Advances

New Cannon Trojan Is the Latest Asset of Sofacy APT Group

Google Maps Users are Receiving Notification Spam and No One Knows Why

Adobe Fixes Zero-Day Flash Player Vulnerability Used in APT Attack on Russia

Emotet Banking Trojan Loves U.S.A Internet Providers