{
	"id": "df138ab4-ecb0-4c8d-9f4a-c9a7a4b5a376",
	"created_at": "2026-04-06T00:06:30.838673Z",
	"updated_at": "2026-04-10T03:30:56.229169Z",
	"deleted_at": null,
	"sha1_hash": "34e2e65307920ef738710548db9510046c4b7a76",
	"title": "How to avoid turning your smartphone into a spyware zoo",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 382712,
	"plain_text": "How to avoid turning your smartphone into a spyware zoo\r\nBy Leonid Grustniy\r\nPublished: 2018-05-14 · Archived: 2026-04-05 18:47:28 UTC\r\n Android\r\nDo you follow the news? The news may also be following you. ZooPark spyware targets those partial to politics.\r\nMay 14, 2018\r\nSometimes even a completely innocent-looking site with a good reputation can be harmful — criminals may find\r\nand exploit a vulnerability. For example, they can use the site for drive-by attacks, causing each visitor to\r\ndownload a file automatically (and unwittingly) as soon as they get to the site. For example, Android users\r\ninterested in current events in the Middle East are at risk of getting a whole menagerie — ZooPark spyware — on\r\ntheir phones.\r\nKaspersky Lab has been following this malware since 2015, and it has learned a plethora of new tricks since then.\r\nThe current, fourth version of this Trojan can steal almost any information from your smartphone, from contacts to\r\ncall logs and info you enter by keyboard. Here is the list of data that ZooPark can collect and send to its owners:\r\nContacts\r\nUser account information\r\nhttps://www.kaspersky.com/blog/zoopark-attacks/22389/\r\nPage 1 of 3\n\nCall history\r\nCall audio recordings\r\nText messages\r\nBookmarks and browser history\r\nBrowser search history\r\nDevice location\r\nDevice information\r\nInformation on installed apps\r\nAny files from the memory card\r\nDocuments stored on the device\r\nInformation entered using the on-screen keyboard\r\nClipboard information\r\nApp-stored data (for example, data from messaging apps such as Telegram, WhatsApp, and imo, or the\r\nChrome browser)\r\nIn addition, ZooPark can take screenshots and photos, and record videos on command. For example, it can take a\r\npicture of the phone’s owner from the front camera and send it to its command center.\r\nMalware beasts and where to find them\r\nZooPark Trojan spyware is used for targeted attacks — in other words, it’s not sent out randomly to ensnare just\r\nanyone; it aims for a specific audience. As we said, the criminals behind ZooPark target those who are interested\r\nin specific topics — in this case, Middle Eastern politics.\r\nZooPark spreads by two main channels: drive-by downloads and Telegram. In the latter case, for example,\r\ncriminals offered an app on the Telegram channel for voting on the Kurdistan independence referendum.\r\nMalefactors also hack some Web resources that are popular in certain countries or circles, making visitors\r\nautomatically download an infected app that looks like something useful — for example, an official app for the\r\nnews resource. Finally, in some cases, the malware pretends to be an “all-in-one” messenger. For more details\r\nabout the technical aspects of ZooPark, see the post on Securelist.\r\nDon’t buy a zoo\r\nTo avoid falling prey to this kind of dangerous spyware, remember a few important rules that will help make your\r\nvirtual life safer:\r\nDownload apps only from trusted sources. Even better, use your device settings to disable the ability to\r\ninstall programs from third-party stores.\r\nUpdate your operating system and important apps as updates become available. Many safety issues can be\r\nsolved by installing updated versions of software.\r\nUse mobile antivirus software to block suspicious links and apps. Kaspersky Internet Security for Android\r\ndetects and neutralizes ZooPark.\r\nTips\r\nhttps://www.kaspersky.com/blog/zoopark-attacks/22389/\r\nPage 2 of 3\n\nSource: https://www.kaspersky.com/blog/zoopark-attacks/22389/\r\nhttps://www.kaspersky.com/blog/zoopark-attacks/22389/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.kaspersky.com/blog/zoopark-attacks/22389/"
	],
	"report_names": [
		"22389"
	],
	"threat_actors": [
		{
			"id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf",
			"created_at": "2022-10-25T16:07:24.467088Z",
			"updated_at": "2026-04-10T02:00:05.000485Z",
			"deleted_at": null,
			"main_name": "Circles",
			"aliases": [],
			"source_name": "ETDA:Circles",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c97cf0c1-7f0d-4e35-9bb9-bceaad178c3d",
			"created_at": "2023-01-06T13:46:38.760807Z",
			"updated_at": "2026-04-10T02:00:03.091254Z",
			"deleted_at": null,
			"main_name": "ZooPark",
			"aliases": [],
			"source_name": "MISPGALAXY:ZooPark",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "93edf98a-03c1-48b3-a94c-e1bddc24f0e6",
			"created_at": "2022-10-25T16:07:24.435275Z",
			"updated_at": "2026-04-10T02:00:04.988022Z",
			"deleted_at": null,
			"main_name": "ZooPark",
			"aliases": [
				"APT-C-38",
				"Cobalt Juno",
				"Saber Lion",
				"TG-2884"
			],
			"source_name": "ETDA:ZooPark",
			"tools": [
				"ZooPark"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433990,
	"ts_updated_at": 1775791856,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/34e2e65307920ef738710548db9510046c4b7a76.pdf",
		"text": "https://archive.orkl.eu/34e2e65307920ef738710548db9510046c4b7a76.txt",
		"img": "https://archive.orkl.eu/34e2e65307920ef738710548db9510046c4b7a76.jpg"
	}
}