ZooPark: New Spyware Campaign Targets Android Users in the MENA

Elephants at a watering hole. Pixelbay.

A targeted, albeit relatively unsophisticated, cyberespionage campaign with servers based in Iran has targeted the Android mobile devices of users in Lebanon, Jordan, Egypt, Morocco, and Iran, according to a recent report from the Moscow-based Kaspersky Lab. Following the publication of the report, an independent hacker dumped some of the data from the campaign on the internet; though other researchers have cast doubts on the authenticity of the data, the dump indicates that the operation only targeted 169 individuals.

The campaign, referred to as ZooPark by researchers, has been active since at least June 2015 and continued to operate as recently as May 12 of this year. Researchers detected four versions of the operation, with each new version demonstrating an increasingly advanced set of capabilities. For example, the first version could only extract contact lists and “accounts registered to the victim’s device,” but by the fourth version the range of extractable data included SMS messages, browser data, GPS location, call log information, log-in credentials, two-factor authentication messages, information about installed third-party applications, audio recordings, and images. The final version was so much more sophisticated that Kaspersky Lab researchers suggested it may not have been developed by the original operators, but purchased from a third-party vendor instead.

Kaspersky Lab researchers were not able to provide data about all of the targets, but they noted that the operation primarily targeted both Kurdistan Referendum supporters across the region and employees of the United Nations Relief and Work Agency for Palestinians in the Near East (UNRWA) in Jordan. In an interview with Motherboard, the researchers stressed that individuals involved with international organizations were disproportionately affected by the operation.

Attack Vectors: Telegram and Watering Holes

The malware infected application that targeted users in the Iranian Kurdistan province. Kaspersky Lab. May 2018.

The campaign targeted users through two distinct vectors: Telegram channels and “watering holes”. Watering holes are links to popular websites that have been infected with malware. When using Telegram, the actors behind the operation sent messages to channels containing a download link for a malware-infected copy of an application intended to poll users in the Iranian Kurdistan province.

Though the type of watering hole used in each iteration of the campaign varied, they all followed the same general process. The operation hacked links of websites, often news sites popular in the Arab world, to redirect the target to download a fake application or image containing malware. In some cases, pages would automatically initiate a download; in other cases, users had to click on a specific application link or image to download. The watering holes predominantly mimicked news sites, such as the Egyptian Al Nahar, al-Hayat, and potentially the Kuwaiti An-Nahar. The researchers could not confirm if a Kuwaiti An-Nahar webpage was breached, but they suspect it might have been because some targets downloaded a malware-infected replica of the newspaper’s mobile application. According to the report, the malware “mimics” various popular applications; however, these spyware-infected versions do not function in the same way as the authentic applications they mimic.

APT or LamePT: Exploring the Data

After the publication of the report, an independent hacker revealed to Motherboard that they were able to hack the operation using information from the report, insisting that ZooPark was not an APT (Advanced Persistent Threat) actor, but a “LamePT” because much of its code was unoriginal.  Subsequently, the hacker dumped a chunk of the data from the campaign onto the internet in exchange for $1,000 in Bitcoin. As a result of this dump, researchers have learned more about the types of data obtained by the operation; however, the public availability of this data also stands to jeopardize the safety and privacy of campaign targets.

Although the hacker may have fabricated some of the leaked data, according to two researchers at the American computer security company McAfee, the data was found to contain over 100,000 audio files,almost 100,000 GPS locations, and an unspecified number of SMS messages. The released audio files are primarily 8-minute recordings of “ambient conversations and daily activities,” as opposed to phone calls. Charles McFarland and Tim Hux, the two researchers, cast doubt on the authenticity of the SMS messages because some of the sample resembled random messages that are usually used in machine learning techniques for training SMS spam-filters. At the same time, some of the sample SMS messages were found to contain sensitive information, thereby potentially placing exposing targets to further risk.

If the entirety of the dump is authentic, the McAfee researchers concluded that the ZooPark campaign has “a significant footprint in Egypt.”

A Rise in Targeted Spyware Campaigns?

Most surprisingly, the dump suggests that ZooPark targeted just 169 unique victim numbers over a nearly three year period, suggesting that the campaign could have had precise targets or it could have experienced difficulty infecting targets’ devices with malware. On the other hand, the Dark Caracal campaign, which operated over a six year period and targeted individuals both inside and outside of the Middle East and North Africa, infected at least 2,000 users with spyware. While it is hard to draw conclusions about the significance of this discrepancy without knowing the identity of either campaign’s targets or its operators, it is concerning that two spyware campaigns have been uncovered in the region within such a short time.

For advice on how to prevent your Android device from being infected with spyware, read the tips we released in the wake of the Dark Caracal report and EFF’s Surveillance Self-Defense Tutorial.

, , , , , , , ,

12 Responses to ZooPark: New Spyware Campaign Targets Android Users in the MENA

  1. Ann Cook May 30, 2019 at 8:36 pm #


    The most effective websites of today aren’t just pretty: they’re useful, user intent-centered and they load fast. How’s your website doing nowadays? Is it attracting the right amount of traffic and the appropriate traffic to make it more profitable?

    If your site can be navigated comfortably, and the information they need is right where it should be, you can be certain that they will be interested to avail of your products/services. While potential clients are browsing on your website, it’s essential for their experience to be an easy and convenient affair. My years of experience in Web design experience has taught me how to pay attention to what my client’s business goals are. I can help you reach them through design.

    I deliver excellent results for attractively affordable costs. I’ve compiled my portfolio ready to be viewed. I can send them to you if you’re interested to know about the work I’ve done for my past clients. If you’d like, I can also give you a free consultation via the phone. Please write back to inform me about the best time to give you a call. Talk to you soon!

    Thank you.
    Ann Cook

  2. Russel Handerson August 29, 2019 at 10:58 am #

    Good day!

    Your website’s relevance to the keywords people input on Google search is very important for your business to be easily found on the results. I ran some of my SEO reporting tests on your website and took a look at its contents. Have you checked how your website ranks in the Google? Results showed that there are many keywords (search terms) that you’re not ranking for. I can fix that for you at a cheap cost!

    SEO or search engine optimization can significantly increase the amount of business you can generate from online because your clients and potential new clients will be able to easily find your website. It’s the most effective and inexpensive marketing strategy that comes at a cheap price.

    I would like to assist you with your website. If you’re interested, kindly reply to inform me about the best time to call and what number to contact. I hope to speak with you soon.

    Russel Handerson

  3. Court Singleton September 3, 2019 at 10:18 am #


    People are becoming pickier with their websites. The question now is: how is your site holding up to today’s user demands? According to Google, a page that loads a second after three seconds will have double the bounce rate. And that’s from last year’s statistics. People now have a tendency to just leave a website that doesn’t capture their attention; and that’s where great design comes in to help.

    Imagine if navigating on your business website was effortless, aesthetically pleasing, and offers an amazing experience to people while they find what they are searching for with ease. It will appeal to more potential and returning clients. I’d like to be of assistance in making your website more functional and sales efficient. I have compiled a portfolio of my past work ready to be viewed, and if you’re interested, I can forward them right away.

    My services are cheap even for small businesses. I will also provide a consultation for free over the phone. If you would like to know more about the work I do, please reply about when’s the most favorable time to contact you. Talk to you soon!

    Court Singleton

  4. Edward September 13, 2019 at 9:01 am #


    I’m an online digital marketer, and I just finished conducting some SEO reporting tests on your site. The results showed a few issues preventing it from being easily found by people searching online for products/services relevant to your business. There’s also a great amount of additional web traffic we can get you by making your website get a better placement on the search engine results with search engine optimization.

    I’d really like to discuss with you more helpful information about this, so please reply let me know if you’re interested. I can also provide a free consultation to present you the data about your website’s potential and where I can take it further. Don’t worry about my rates since they’re considered cheap even by small start-up companies.

    I hope to speak with you and share some helpful insights. Just let me know about the best time to give you a call. Talk to you soon!

    Edward Foster

  5. Ed Frez September 18, 2019 at 8:26 am #


    I’m a freelancer who designs great looking websites for small businesses. I wanted to know if you’d be interested in making some changes to your website. I’d love to show you what I accomplish for you. I specialize in the WordPress website platform, and I’m also very good with many other platforms and shopping carts as well. I can upgrade your existing website or build you a new one from scratch that has all of the modern features and functionality.

    I do all of the design and programming by myself and I never outsource. Have you been thinking about making some changes to your website? If so, do you have some free time in the next few days for a quick call? I can give you some ideas, get your feedback and give you a proposal. I’d really like to be of assistance and make the site better. Kindly let me know about when’s the best time to contact you if you’re interested. Talk to you soon!

    Ed Frez – Web Designer / Programmer

  6. Hubert Fitzgerald October 22, 2019 at 10:11 am #


    I was checking on your website, and it seems you might have to update it to keep up with the current trends. People nowadays are more comfortable browsing the internet on their phone or tablet since it’s more convenient. There were some issues when I was viewing it in mobile platforms, I can fix that for you.

    I already like its design and overall user-interface, but I believe that your website can get even better so that your potential clients can be more engaged to do business with you, thus making your website more profitable. I’m all about flexibility and I’m sure that we can work out something to fit your needs.

    My rates are cheap since I’m committed to helping small businesses. I’ll answer all the questions you have for me during a free consultation over the phone. I’d also like to know your ideas for the website, so please reply with the best time for me to call and your preferred contact details. I look forward to hearing back from you.

    Hubert Fitzgerald

  7. Edward Franco November 1, 2019 at 8:03 am #


    I ran some SEO reporting tests on your website and was able to retrieve data that showed there’s a lot of additional web traffic your site can get by making sure that you’re ranking higher in search engines like Google and Bing. There are issues prevent your website from being more profitable than it should be. I can fix that for you.

    I’m an expert in making sure your business shows up at the top of search engine results so your potential clients would find your business with ease (which can result to more sales). The search engine optimization that I do can really make your website more profitable for your company, all for a cheap cost! I’d like to give you a complimentary consultation so that I can show you all of the data about your website’s potential. Please write back to let me know when is the best time for us to have the call. I look forward to speaking with you soon.

    Best regards,
    Ed Franco

  8. Ed Frez November 11, 2019 at 6:46 am #


    Are you thinking of giving your site a more modern look and some elements that can help you run your business? How about making some upgrades on your website? Are there any particular features that you’ve thought about adding to help your clients find it easier to navigate through your online content?

    I am a professional web designer that is dedicated to helping businesses grow. I do this by making sure that your website is the best that it can be in terms of aesthetics, functionality, and reliability in handling your business online. All of my work is done freelance and locally (never outsourced). I would love to talk to you about my ideas at a time that’s best for you. I can give you plenty of information and examples of what we’ve done for other clients and what the results have been.

    Please let me know if you’re interested, and I’ll get in touch with you as quick as I can.

    Ed Frez – Web Designer / Programmer

  9. Ronald Robinson November 21, 2019 at 5:48 am #


    I’m quite certain you’re aware that most successful businesses always have their website come up on the first page of Google search results since they’re more relevant, popular, and more credible compared to the other companies found on page 2 or so on. Have you ever wondered how these websites dominated the first page? It’s not at all difficult to achieve! We can put your site on the first page using search engine optimization.

    I ran a few tests on your website and found out that there are many keywords you can potentially rank for. These are crucial for you to be easily found while people searching on Google input words relevant to your products or services. To give you an idea of my work, I will send you case studies of websites I’ve worked with before and how they gained more profit after the optimization.

    I’ll also give you a free consultation over the phone, and the information about your website can benefit you whether or not you choose to avail of my services. Don’t worry about my fees since my target market are for small businesses and I deliver excellent results that come at a cheap price. I look forward to speaking with you soon. Would you like to schedule a phone call?

    Best regards,
    Ronald Robinson

  10. Edward Frankish December 1, 2019 at 4:17 am #


    Are you currently pleased with the number of sales your website is able to make? Is it getting enough visits from potential clients?I’m a freelance SEO specialist and I saw the potential of your website. I’m offering to help you boost the amount of traffic generated by your site so you can get more sales.

    If you’d like, I’ll send you case studies from my previous work, so you can have an idea of what it’s like before and after a website has been optimized for web searches. My services come at a cheap price that even small businesses can afford them. Please reply let me know if you’re interested. Talk to you soon!

    Edward Frankish

  11. free blog December 3, 2019 at 5:32 pm #

    What’s up, constantly i used to check webpage posts here early in the dawn,
    for the reason that i love to find out more and more.


  1. Journalists and human rights defenders under fire, Pride event cancelled: May in the MENA region - Ryan Guillory - June 2, 2018

    […] stealing private data from Android mobile devices in Lebanon, Jordan, Egypt, Morocco and Iran, as this statement by SMEX […]

Leave a Reply

I footnotes