Reports indicate that more than 100 Israeli servicemen were first affected by this attack this in July 2016, and that the most recent reported attacks happened just this month. The malware, called "ViperRAT," was specifically designed to target Android devices, with hackers gaining access to the phone’s location, video, audio and SMS functions.
Samsung, LG, Huawei and HTC devices were affected, with almost 9,000 files stolen in total.
Security firms report that IDF soldiers fell victim to the malware after being catfished on social media by communicating with profiles posing as attractive women from several different countries, luring them with sexual innuendo. The personnel were then duped into installing an Android chat application infected with Trojan viruses.
YeeCall Pro and SR Chat are legitimate programs, but were weaponized for the cyber attack. The virus spread through “Droppers” hiding in other apps common in Israel and available through the Google App Store, like Move To iOS and an Israeli love-song player.
Soldiers unwittingly gave access to their phone by giving permission to malicious apps, giving hackers the ability to eavesdrop on conversations, look at live video footage, allowing for the control of their camera and microphone.
ViperRat can also gather photos, cell phone tower information, internet browsing history metadata, and a history of downloaded apps.
The IDF has been working with Kaspersky and Lookout to get more information on the espionage campaign, with Lookout researchers reporting that the hack is not the work of amateurs. "Based on tradecraft, the modular structure of code and use of cryptographic protocols [AES and RSA encryption] the actor appears to be quite sophisticated," they said, according to the Hacker News.
The depth of social engineering that went into the hack led Kaspersky to posit that Hamas was responsible, but Lookout has claimed that the group does not possess the sophisticated mobile capabilities to develop a program like ViperRat.
Michael Flossman, who heads security research services at Lookout, told ZDNet, "It has been used directly against IDF personnel, however there's also a good indication that it has been deployed in other campaigns against other groups,"
Kasperky’s report concluded that, "this is only the opening shot of this operation. Further, that it is by definition a targeted attack against the Israeli Defense Force, aiming to exfiltrate data on how ground forces are spread, which tactics and equipment the IDF is using and real-time intelligence gathering."