Researchers from IT security company ESET have investigated an espionage campaign against Kurdish targets. The campaign, which has been active since at least March 2010 via dedicated profiles on Facebook, distributed two Android backdoors known as 888 RAT and SpyNote.
Two of the fake profiles provided Kurdish-language news about Android, while the other four provided news aimed at supporters of the Kurds. ESET identified the six fake Facebook profiles distributing android spying apps as part of the campaign conducted by the BladeHawk group.
The profiles shared the espionage apps via groups of supporters of Masoud Barzani, former president of the autonomous region of Kurdistan in northern Iraq. The targeted Facebook groups have more than 11,000 followers.
ESET identified 28 unique posts on Facebook that each contained fake app descriptions and links from which ESET researchers downloaded 17 unique Android Package Kits. Some of the APK links pointed directly to the malicious app, while others pointed to third-party upload service top4top.io, which tracks the number of file downloads. The espionage apps were downloaded 1,418 times.
Most of the malicious Facebook posts led to downloads of 888 RAT that has been available on the black market since 2018. Android 888 RAT is capable of executing 42 commands received from its command-and-control server. It can steal and delete files from a device, take screenshots, get a device's location, phish Facebook account credentials, get a list of installed apps, make calls, steal the device's contact list, and send text messages, ESET said.