ZooPark: New Spyware Campaign Targets Android Users in the MENA

Elephants at a watering hole. Pixelbay.

A targeted, albeit relatively unsophisticated, cyberespionage campaign with servers based in Iran has targeted the Android mobile devices of users in Lebanon, Jordan, Egypt, Morocco, and Iran, according to a recent report from the Moscow-based Kaspersky Lab. Following the publication of the report, an independent hacker dumped some of the data from the campaign on the internet; though other researchers have cast doubts on the authenticity of the data, the dump indicates that the operation only targeted 169 individuals.

The campaign, referred to as ZooPark by researchers, has been active since at least June 2015 and continued to operate as recently as May 12 of this year. Researchers detected four versions of the operation, with each new version demonstrating an increasingly advanced set of capabilities. For example, the first version could only extract contact lists and “accounts registered to the victim’s device,” but by the fourth version the range of extractable data included SMS messages, browser data, GPS location, call log information, log-in credentials, two-factor authentication messages, information about installed third-party applications, audio recordings, and images. The final version was so much more sophisticated that Kaspersky Lab researchers suggested it may not have been developed by the original operators, but purchased from a third-party vendor instead.

Kaspersky Lab researchers were not able to provide data about all of the targets, but they noted that the operation primarily targeted both Kurdistan Referendum supporters across the region and employees of the United Nations Relief and Work Agency for Palestinians in the Near East (UNRWA) in Jordan. In an interview with Motherboard, the researchers stressed that individuals involved with international organizations were disproportionately affected by the operation.

Attack Vectors: Telegram and Watering Holes

The malware infected application that targeted users in the Iranian Kurdistan province. Kaspersky Lab. May 2018.

The campaign targeted users through two distinct vectors: Telegram channels and “watering holes”. Watering holes are links to popular websites that have been infected with malware. When using Telegram, the actors behind the operation sent messages to channels containing a download link for a malware-infected copy of an application intended to poll users in the Iranian Kurdistan province.

Though the type of watering hole used in each iteration of the campaign varied, they all followed the same general process. The operation hacked links of websites, often news sites popular in the Arab world, to redirect the target to download a fake application or image containing malware. In some cases, pages would automatically initiate a download; in other cases, users had to click on a specific application link or image to download. The watering holes predominantly mimicked news sites, such as the Egyptian Al Nahar, al-Hayat, and potentially the Kuwaiti An-Nahar. The researchers could not confirm if a Kuwaiti An-Nahar webpage was breached, but they suspect it might have been because some targets downloaded a malware-infected replica of the newspaper’s mobile application. According to the report, the malware “mimics” various popular applications; however, these spyware-infected versions do not function in the same way as the authentic applications they mimic.

APT or LamePT: Exploring the Data

After the publication of the report, an independent hacker revealed to Motherboard that they were able to hack the operation using information from the report, insisting that ZooPark was not an APT (Advanced Persistent Threat) actor, but a “LamePT” because much of its code was unoriginal.  Subsequently, the hacker dumped a chunk of the data from the campaign onto the internet in exchange for $1,000 in Bitcoin. As a result of this dump, researchers have learned more about the types of data obtained by the operation; however, the public availability of this data also stands to jeopardize the safety and privacy of campaign targets.

Although the hacker may have fabricated some of the leaked data, according to two researchers at the American computer security company McAfee, the data was found to contain over 100,000 audio files,almost 100,000 GPS locations, and an unspecified number of SMS messages. The released audio files are primarily 8-minute recordings of “ambient conversations and daily activities,” as opposed to phone calls. Charles McFarland and Tim Hux, the two researchers, cast doubt on the authenticity of the SMS messages because some of the sample resembled random messages that are usually used in machine learning techniques for training SMS spam-filters. At the same time, some of the sample SMS messages were found to contain sensitive information, thereby potentially placing exposing targets to further risk.

If the entirety of the dump is authentic, the McAfee researchers concluded that the ZooPark campaign has “a significant footprint in Egypt.”

A Rise in Targeted Spyware Campaigns?

Most surprisingly, the dump suggests that ZooPark targeted just 169 unique victim numbers over a nearly three year period, suggesting that the campaign could have had precise targets or it could have experienced difficulty infecting targets’ devices with malware. On the other hand, the Dark Caracal campaign, which operated over a six year period and targeted individuals both inside and outside of the Middle East and North Africa, infected at least 2,000 users with spyware. While it is hard to draw conclusions about the significance of this discrepancy without knowing the identity of either campaign’s targets or its operators, it is concerning that two spyware campaigns have been uncovered in the region within such a short time.

For advice on how to prevent your Android device from being infected with spyware, read the tips we released in the wake of the Dark Caracal report and EFF’s Surveillance Self-Defense Tutorial.

, , , , , , , ,

6 Responses to ZooPark: New Spyware Campaign Targets Android Users in the MENA

  1. Ann Cook May 30, 2019 at 8:36 pm #


    The most effective websites of today aren’t just pretty: they’re useful, user intent-centered and they load fast. How’s your website doing nowadays? Is it attracting the right amount of traffic and the appropriate traffic to make it more profitable?

    If your site can be navigated comfortably, and the information they need is right where it should be, you can be certain that they will be interested to avail of your products/services. While potential clients are browsing on your website, it’s essential for their experience to be an easy and convenient affair. My years of experience in Web design experience has taught me how to pay attention to what my client’s business goals are. I can help you reach them through design.

    I deliver excellent results for attractively affordable costs. I’ve compiled my portfolio ready to be viewed. I can send them to you if you’re interested to know about the work I’ve done for my past clients. If you’d like, I can also give you a free consultation via the phone. Please write back to inform me about the best time to give you a call. Talk to you soon!

    Thank you.
    Ann Cook

  2. Russel Handerson August 29, 2019 at 10:58 am #

    Good day!

    Your website’s relevance to the keywords people input on Google search is very important for your business to be easily found on the results. I ran some of my SEO reporting tests on your website and took a look at its contents. Have you checked how your website ranks in the Google? Results showed that there are many keywords (search terms) that you’re not ranking for. I can fix that for you at a cheap cost!

    SEO or search engine optimization can significantly increase the amount of business you can generate from online because your clients and potential new clients will be able to easily find your website. It’s the most effective and inexpensive marketing strategy that comes at a cheap price.

    I would like to assist you with your website. If you’re interested, kindly reply to inform me about the best time to call and what number to contact. I hope to speak with you soon.

    Russel Handerson

  3. Court Singleton September 3, 2019 at 10:18 am #


    People are becoming pickier with their websites. The question now is: how is your site holding up to today’s user demands? According to Google, a page that loads a second after three seconds will have double the bounce rate. And that’s from last year’s statistics. People now have a tendency to just leave a website that doesn’t capture their attention; and that’s where great design comes in to help.

    Imagine if navigating on your business website was effortless, aesthetically pleasing, and offers an amazing experience to people while they find what they are searching for with ease. It will appeal to more potential and returning clients. I’d like to be of assistance in making your website more functional and sales efficient. I have compiled a portfolio of my past work ready to be viewed, and if you’re interested, I can forward them right away.

    My services are cheap even for small businesses. I will also provide a consultation for free over the phone. If you would like to know more about the work I do, please reply about when’s the most favorable time to contact you. Talk to you soon!

    Court Singleton

  4. Edward September 13, 2019 at 9:01 am #


    I’m an online digital marketer, and I just finished conducting some SEO reporting tests on your site. The results showed a few issues preventing it from being easily found by people searching online for products/services relevant to your business. There’s also a great amount of additional web traffic we can get you by making your website get a better placement on the search engine results with search engine optimization.

    I’d really like to discuss with you more helpful information about this, so please reply let me know if you’re interested. I can also provide a free consultation to present you the data about your website’s potential and where I can take it further. Don’t worry about my rates since they’re considered cheap even by small start-up companies.

    I hope to speak with you and share some helpful insights. Just let me know about the best time to give you a call. Talk to you soon!

    Edward Foster

  5. Ed Frez September 18, 2019 at 8:26 am #


    I’m a freelancer who designs great looking websites for small businesses. I wanted to know if you’d be interested in making some changes to your website. I’d love to show you what I accomplish for you. I specialize in the WordPress website platform, and I’m also very good with many other platforms and shopping carts as well. I can upgrade your existing website or build you a new one from scratch that has all of the modern features and functionality.

    I do all of the design and programming by myself and I never outsource. Have you been thinking about making some changes to your website? If so, do you have some free time in the next few days for a quick call? I can give you some ideas, get your feedback and give you a proposal. I’d really like to be of assistance and make the site better. Kindly let me know about when’s the best time to contact you if you’re interested. Talk to you soon!

    Ed Frez – Web Designer / Programmer


  1. Journalists and human rights defenders under fire, Pride event cancelled: May in the MENA region - Ryan Guillory - June 2, 2018

    […] stealing private data from Android mobile devices in Lebanon, Jordan, Egypt, Morocco and Iran, as this statement by SMEX […]

Leave a Reply

I footnotes