A security bug which has infected thousands of smartphones was discovered by campaign group the Electronic Frontier Foundation (EFF).
Working with mobile security firm Lookout, the researchers found that the malware fake messages designed to look just like WhatsApp and the Signal had stolen gigabytes of data.
Targets included military personnel, activists, journalists and lawyers.
The researchers say they have traced the malware to a Lebanese government building.
The threat, dubbed Dark Caracal by the researchers, seems as if it could come from a nation-state, and seems to use the sharing of infrastructures linked to other nation-state hackers, the report said.
The malware takes advantage of known exploits and primarily target the Android phones.
The data was traced back to a server in a building belonging to the Directorate of General Security of Lebanon Beirut, according to the researchers.
“On the basis of the available evidence, it is likely that the GDGS is associated with or directly support the actors behind Dark Caracal,” the report said.Mobile threats
“The people in the USA, Canada, Germany, Lebanon, and France have been affected by the Dark Caracal. The targets include military personnel, activists, journalists and lawyers, and the types of stolen data range from record of the call and the audio are the documents and photos,” said EFF director of information security Eva Galperin.
“This is a very large, global campaign, focused on mobile devices. Mobile is the future of espionage, because phones are full of so much data on a person’s day-to-day life.”
Mike Murray, vice-president of security intelligence at Lookout, said: “the Dark Caracal is part of a trend that we have seen mounting over the past year in which the traditional advanced persistent threat actors are moving towards the use of mobile technologies as the main platform to target.”Online mercenaries
In a statement published on the Belvedere blog, Google said that it was confident that the infected apps have not been downloaded from the Play Store.
“Google has identified the apps associated with this actor, none of the applications were on Google Play Store. Google Play Protect has been updated to protect the devices from these apps is the process of removing them from all the affected devices.”
The researchers believe Dark Caracal has been operating since 2012, but it has been difficult to track because of the diversity of seemingly unrelated espionage campaign originating from the same domain names.
In the Dark years Caracal has repeatedly been wrongly attributed to other groups of cyber-crime, the researchers said.
In the month of November, the Afghanistan moved to ban WhatsApp and Telegram, as a way to stop rebel groups from the use of encrypted messages. And in the month of December, Iran decided to limit the use of applications that, after a series of anti-establishment protests.
The use of an app that allows you to steal the data would give nation-states a lot more information that simply banning them, said Prof Alan Woodward, a cybersecurity expert at the University of Surrey.
“It is always difficult to prove that a nation state is involved. During the Cold War, countries have made use of mercenaries, and that is what we are seeing now.”
He said that it was not clear where the infected apps had been downloaded.
“Google is saying that were not downloaded from there, but it is difficult to know where is the rest of that came from. It may be that people are getting suckered in by something that looks like an official site. People need to be careful what you are downloading.”