Suspected state-sponsored hackers have intensified their attempts to break into the online accounts of Iranian rights activists in recent weeks by exploiting security vulnerabilities in Android smartphones. Photo from ICHRI.
A version of this article was originally published on the website of the International Campaign for Human Rights in Iran. [1]
Suspected state-sponsored hackers have intensified their attempts to break into the online accounts of Iranian rights activists in recent weeks by exploiting security vulnerabilities in Android smartphones, the International Campaign for Human Rights in Iran has learned.
On August 11, 2016 an unknown person sent a message on Facebook to a prominent Iranian political activist living in Paris and introduced himself as a former student. The hacker said he had created political stickers with the activist’s photo on them. He then sent a file, with an APK suffix, to the activist claiming that the file contained the stickers.
But the file actually contained malware. Soon after the activist opened the file, the hacker was able to take over the activist’s Facebook page and sent similar messages to the activist’s friends, some of whom worked at Radio Farda, Deutsche Welle and the BBC. One of the friends fell for the trap and lost access to his Gmail account for several hours.
Files with the APK extension are applications that can be installed on smartphones with Android operating systems. Users should only open these files after downloading them from reputable sources, such as Google Play. Unlike Apple’s iOS operating system, Android apps can be independently developed and installed. This has many benefits for independent developers, but it also makes it easy for hackers to prey on unsuspecting users and spy on them.
The file that was used to hack into the Paris-based activist’s account was created by DroidJack [2], an Android “Remote Administration Tool” that allows hackers to breach the security of a computer system.
List of locations accessed by hackers on a victim’s Android smartphone.
Investigations by the Campaign show that trojan malware created by hackers can gain remote access to a wide range of content on Android smartphones including messages, photos, audio files, apps, GPS locators, and contact lists. The hackers can monitor conversations and operations on the device without the owner’s knowledge. The hacker can even make phone calls and send messages from the victim's device.
The hacking victim’s photo was placed in the malware file to trick him into downloading it.
Hackers have also sent messages on Facebook to Iranian journalists living abroad and asked them to click on false links on Google Drive to “receive important urgent news.” These links have led to malware with similar capabilities.
Receiver: Hi XXXX dear
Receiver: This is my address XXXX@gmail.com
Hacked Account: [link]
Hacked Account: [link]
Hacked Account: It seems the documents are real on this drive
Receiver: XXXX, the files you have sent are locked and they need a password to be accessed
Messages sent to journalists from a hacked account.
The journalist whose Gmail account was hacked described the process as follows:
1. Hacker directs unsuspecting victim to false Google account sign-in page.
2. Victim enters username and password.
3. Hacker records victim’s username and password and submits an access request to Google.
4. Google sends a text message to the victim to complete the two-step verification process.
5. Victim inputs the verification code in the false Google sign-in page.
6. Hacker copies the verification code, which is valid for only 30 seconds, and signs into the victim’s account.
Tech Tips from Global Voices Advox
These kinds of problems don't discriminate. Regardless of where they live or what they do, users should always be cautious when they receive messages from unfamiliar sources, especially if those messages contain a link or an attachment. There are various services and experts online who can help with these challenges, but for non-expert users, Google has some simple ways to check these things and make sure they're safe.
How to test a link
- View the link in plain text. If you are using HTML email (such as Gmail on a web browser), press and hold down the “control” key and click the link.
- Select “Copy link address”
- Copy and paste it into Google's Safe Browsing Site Status [3] tool and see what it says.
How to test an attachment
Google Docs Viewer [4] has a (slightly hidden) feature that makes it easy to view any online document via Google's processed HTML view.
- Paste this URL in a new tab: https://docs.google.com/viewer?url= [5]
- Paste the address of the document you want to view online.
- The document will appear in your browser, through the doc viewer. You can read its contents without actually downloading the file or putting your computer at risk.