Dracarys Mobile Malware

Cybercriminals are using a weaponized version of the legitimate messaging application Signal to spread a potent Android spyware threat known as Dracarys. The threat is being primarily leveraged against targets located in India, Pakistan, the UK, and New Zealand. The Dracarys threat was first brought to light in an adversarial threat report released by Meta (formerly Facebook). A more in-depth report on Dracarys was published by researchers.

The infosec experts attribute the threat to the Bitter APT (Advanced Persistent Threat) group. The hackers delivered the Dracarys Android malware to their victims' devices via a specially crafted phishing page designed to mimic the legitimate Signal download portal. The used domain was 'signalpremium(dot)com.' By taking advantage of the open-source code of the Signal application, the Bitter APT hackers created a version that has retained all of the usual functionalities and features that users expect from the application. However, the modified version also included the Dracarus malware in its source code.

Once established on the device, the mobile malware threat is capable of extracting a wide range of data, while also spying on the target. After being activated, Dracarys will first try to establish a connection with a Firebase server to receive instructions on what type of data to collect. The threat can harvest contact lists, SMS data, GPS position, files, a list of all installed applications, call logs, etc. The spyware also can capture screenshots and make audio recordings. All collected data is then exfiltrated to the Command-and-Control server of the operation.