{
	"id": "b37273b2-6577-4d49-b48d-2661680d18f9",
	"created_at": "2026-04-06T00:15:24.37051Z",
	"updated_at": "2026-04-10T13:12:35.513701Z",
	"deleted_at": null,
	"sha1_hash": "44bd60821e7782e36b7425d8ecd6320dd62f5f46",
	"title": "These hackers are using Android surveillance malware to target opponents of the Syrian government",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51428,
	"plain_text": "These hackers are using Android surveillance malware to target\r\nopponents of the Syrian government\r\nBy Written by Danny Palmer, Senior WriterSenior Writer Dec. 10, 2018 at 3:15 a.m. PT\r\nArchived: 2026-04-05 20:00:15 UTC\r\nHackers working on behalf of the Syrian government are targeting political opponents with surveillance malware\r\nbeing distributed in trojanised versions of messaging applications including WhatsApp and Telegram.\r\nSecurity\r\nThe Syrian Electronic Army group of hackers works in support of Syrian President Bashar Al-Assad and targets\r\ngroups and individuals opposed to his regime. The group also has a history of hacking into and defacing websites -\r\n- including that of the US army -- and social media accounts, the most high profile of which saw the Twitter\r\naccount of the Associated Press compromised.\r\nSuch is the notoriety of the SEA that the US charged three Syrian nationals with being members of the group in\r\n2016, with two added to the FBI's Most Wanted List.\r\nIn recent years, the group has seemingly kept a low profile, but the SEA hasn't ceased activity: it's altered tactics\r\nand is now delivering custom Android malware to opponents of the Assad regime for the purposes of surveillance.\r\nDubbed SilverHawk by researchers at security firm Lookout, they detailed their findings at the Black Hat Europe\r\nconference in London. The malware is thought to have been in operation since mid-2016 and is capable of secretly\r\nrecording audio, taking photos, downloading files, monitoring contacts, tracking location and more.\r\n\"You can imagine the implications for political dissidents who might be in sensitive meetings and the enemy\r\nwould love to know what they're talking about -- if their phone's infected, they can just remotely start recording\r\naudio,\" said Kristin Del Rosso, security intelligence engineer at Lookout.\r\nSEE: Cyberwar predictions for 2019: The stakes have been raised\r\nThe Google Android malware isn't widely spread, suggesting that the SEA is using it sparingly in highly targeted\r\ncampaigns. The main method of delivering SilverHawk is by tricking victims into downloading malicious\r\nversions of messaging apps from watering hole sites or social engineering via phishing emails.\r\n\"Typically you'll see this deployed inside trojanised secure messaging applications, secure connectivity\r\napplications and that was the case here,\" said Michael Flossman, head of threat intelligence at Lookout. \"The\r\nhttps://www.zdnet.com/article/these-hackers-are-using-android-surveillance-malware-to-target-opponents-of-the-syrian-government/\r\nPage 1 of 3\n\nthreat actors behind this really favour trojanising updates to WhatsApp, Telegram as well as a system package\r\nupdate.\"\r\nTo help remain undetected, the malicious app doesn't place an icon on the home screen. SilverHawk has also been\r\nbuilt to avoid the rapid battery drain which can be a telltale sign that a malicious app has been installed. The\r\ncreators of the malware have built in a survival counter that gives it two attempts to connect back to its command\r\nand control servers.\r\n\"What happens is every time there's a connection to the command and control servers that's successful, it resets to\r\ntwo, then every time a connection isn't made or the C2 server is down it drops down by one,\" Del Rosso\r\nexplained.\r\n\"When the device is rebooted, however, the counter is back to 2, allowing the surveillance-ware to attempt to\r\ncontinue its spying abilities,\" she added. It also prevents repeated attempts at connection from draining the battery\r\nand arousing suspicion that something is wrong.\r\nAnalysis by Lookout suggests that SilverHawk has been successful in carrying out its tasks and remaining stealthy\r\nas the malware has rarely needed to be reworked to avoid detection by security solutions, and when changes have\r\nbeen made, they're relatively minor.\r\nhttps://www.zdnet.com/article/what-is-malware-everything-you-need-to-know-about-viruses-trojans-and-malicious-software/\r\nSEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) |\r\ndownload the PDF version\r\nWhile SilverHawk only targets Google Android on mobile devices, the Syrian Electronic Army is also known to\r\ntarget dissidents using Windows malware, with delivery typically via phishing emails containing attachments\r\nrelated to military operations in the region. Common forms of malware used in these campaigns include NjRAT,\r\nH-Worm Plus and DarkComet.\r\nIn instances of both the Android and Windows campaigns the use of open directories and poor operational security\r\nby the attackers has enabled Lookout to attribute the attacks to the SEA.\r\n\"There is no indication that they are using this tooling or the associated infrastructure that we've identified in\r\ntargeted attacks against western interests at this time,\" Flossman told ZDNet.\r\nHowever, he has advice for anyone who might be asked to install a version of a messaging service which asks for\r\ntotal control of the phone in exchange for installing the app.\r\n\"You should probably not fall for what they're saying when they ask for administrator access as that'll give them\r\ncompromising control over your device,\" he said.\r\nREAD MORE ON CYBER CRIME\r\nHackers are using this Android malware to spy on Israeli soldiers\r\nHow a Facebook page sent one Syrian dissenter to prison CNET\r\nhttps://www.zdnet.com/article/these-hackers-are-using-android-surveillance-malware-to-target-opponents-of-the-syrian-government/\r\nPage 2 of 3\n\nCyber security: Hackers step out of the shadows with bigger, bolder attacks\r\nThe future of cyberwar: Weaponised ransomware, IoT attacks and a new arms race TechRepublic\r\nToo little, too late? Should we be faster to point the finger of blame at cyber attackers?\r\nSource: https://www.zdnet.com/article/these-hackers-are-using-android-surveillance-malware-to-target-opponents-of-the-syrian-government/\r\nhttps://www.zdnet.com/article/these-hackers-are-using-android-surveillance-malware-to-target-opponents-of-the-syrian-government/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zdnet.com/article/these-hackers-are-using-android-surveillance-malware-to-target-opponents-of-the-syrian-government/"
	],
	"report_names": [
		"these-hackers-are-using-android-surveillance-malware-to-target-opponents-of-the-syrian-government"
	],
	"threat_actors": [
		{
			"id": "76fc6d92-0710-4640-bfa7-3000fe3940a5",
			"created_at": "2022-10-25T16:07:24.251595Z",
			"updated_at": "2026-04-10T02:00:04.911951Z",
			"deleted_at": null,
			"main_name": "Syrian Electronic Army (SEA)",
			"aliases": [
				"ATK 196",
				"Deadeye Jackal",
				"Syria Malware Team",
				"Syrian Electronic Army",
				"TAG-CT2"
			],
			"source_name": "ETDA:Syrian Electronic Army (SEA)",
			"tools": [
				"AndoServer",
				"CypherRat",
				"SLRat",
				"SandroRAT",
				"SilverHawk",
				"SpyNote",
				"SpyNote RAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434524,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/44bd60821e7782e36b7425d8ecd6320dd62f5f46.pdf",
		"text": "https://archive.orkl.eu/44bd60821e7782e36b7425d8ecd6320dd62f5f46.txt",
		"img": "https://archive.orkl.eu/44bd60821e7782e36b7425d8ecd6320dd62f5f46.jpg"
	}
}