{ "id": "a4005fa1-077d-436c-8313-127dbfd27a6f", "created_at": "2026-04-06T00:18:39.895291Z", "updated_at": "2026-04-10T13:12:46.032337Z", "deleted_at": null, "sha1_hash": "4fc435b9910d49c31616ca9577cb1b18ae24b15c", "title": "ViceLeaker Operation: mobile espionage targeting Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 531120, "plain_text": "ViceLeaker Operation: mobile espionage targeting Middle East\r\nBy GReAT\r\nPublished: 2019-06-26 · Archived: 2026-04-05 15:26:40 UTC\r\nIn May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens.\r\nKaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the\r\nAPK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file,\r\nwe quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original\r\ncode of the application. This was an original spyware program, designed to exfiltrate almost all accessible\r\ninformation.\r\nSpyware sensors samples feed contained the first sample\r\nDuring the course of our research, we noticed that we were not the only ones to have found the operation.\r\nResearchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something\r\nhad already been published, we decided to do something different with the data we acquired. The following month,\r\nwe released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered\r\noperation and began writing YARA rules in order to catch more samples. We decided to call the operation\r\n“ViceLeaker”, because of strings and variables in its code.\r\nMobile ViceLeaker\r\nThe following table shows meta information on the observed samples, including compiler timestamps:\r\nMD5 Package Compiler C2\r\n51df2597faa3fce38a4c5ae024f97b1c com.xapps.SexGameForAdults dexlib 2.x 188.165.28[.]251\r\n2d108ff3a735dea1d1fdfa430f37fab2 com.psiphon3 dexlib 2.x 188.165.49[.]205\r\n7ed754a802f0b6a1740a99683173db73 com.psiphon3 dexlib 2.x 188.165.49[.]205\r\n3b89e5cd49c05ce6dc681589e6c368d9 ir.abed.dastan dexlib 2.x 185.141.60[.]213\r\nTo backdoor legitimate applications, attackers used a Smali injection technique – a type of injection that allows\r\nattackers to disassemble the code of original app with the Baksmali tool, add their malicious code, and assemble it\r\nwith Smali. As a result, due to such an unusual compilation process, there were signs in the dex file that point to\r\ndexlib, a library used by the Smali tool to assemble dex files.\r\nhttps://securelist.com/fanning-the-flames-viceleaker-operation/90877/\r\nPage 1 of 10\n\nOriginal code of the APK on the left, versus injected APK on the right\r\nThe analysis of the APK was rather interesting, because some of the actions were very common spyware features,\r\nsuch as the exfiltration of SMS messages, call logs and other data. However, in addition to the traditional\r\nfunctionality, there were also backdoor capabilities such as upload, download, delete files, camera takeover and\r\nrecord surrounding audio.\r\nThe malware uses HTTP for communication with the C2 server for command handling and data exfiltration. Here\r\nis a command and control protocol fragment:\r\nhttps://securelist.com/fanning-the-flames-viceleaker-operation/90877/\r\nPage 2 of 10\n\nCommands from C2 server parsing\r\nIn total, the malicious APK handles 16 different commands:\r\nCommand Endpoint Description\r\n1 reqsmscal.php Send specified SMS message\r\n2 reqsmscal.php Call specified number\r\n3 reqsmscal.php Exfiltrate device info, such as phone model and OS version\r\n4 reqsmscal.php Exfiltrate a list of all installed applications\r\n5 reqsmscal.php Exfiltrate default browser history (limited to a given date)\r\n6 reqsmscal.php Exfiltrate Chrome browser history (limited to a given date)\r\nhttps://securelist.com/fanning-the-flames-viceleaker-operation/90877/\r\nPage 3 of 10\n\n7 reqsmscal.php Exfiltrate memory card file structure\r\n8 reqsmscal.php Record surrounding sound for 80 seconds\r\n1 reqcalllog.php Exfiltrate all call logs\r\n2 reqcalllog.php Exfiltrate all SMS messages\r\n3 reqcalllog.php Upload specified file from the device to the C2\r\n4 reqcalllog.php Download file from specified URL and save on device\r\n5 reqcalllog.php Delete specified file\r\n6,7,8 reqcalllog.php Commands not yet implemented\r\n9 reqcalllog.php Take photo (muted audio) with rear camera, send to C2\r\n10 reqcalllog.php Take photo (muted audio) with front camera, send to C2\r\nAll observed samples with Smali injections were signed by the same debug certificate (0x936eacbe07f201df).\r\nAs we know from our investigation, traces of the first development activities were found at the end of 2016, but\r\nthe main distribution campaign began in 2018 (end of 2017).\r\nBased on our detection statistics, the main infection vector is the spread of Trojanized applications directly to\r\nvictims via Telegram and WhatsApp messengers. There are the following relevant detection paths (the last one is\r\nan alternative Telegram client – “Telegram X“):\r\nName Detection path\r\nSex Game For Adults 18.apk /storage/emulated/0/WhatsApp/Media/WhatsApp Documents/\r\n4_6032967490689041387.apk /storage/emulated/0/Telegram/Telegram Documents/\r\nPsiphon-v91.apk /storage/emulated/0/Android/data/org.thunderdog.challegram/files/documents/\r\nBackdoored Open Source\r\nDuring the course of our analysis, we also found samples sharing code with the ViceLeaker malware, in particular\r\nthey shared a delimiter that was used in both cases to parse commands from the C2 server.\r\nhttps://securelist.com/fanning-the-flames-viceleaker-operation/90877/\r\nPage 4 of 10\n\nModified Conversations (on the right) code overlap with the Smali injections (left)\r\nThis would be a very unusual coincidence. Even when a false flag might also be a possibility, we consider this to\r\nbe unlikely.\r\nThe samples sharing this overlap are modified versions of an open source Jabber/XMPP client called\r\n“Conversations” with some code additions. The legitimate version of this app is also available on Google Play.\r\nhttps://securelist.com/fanning-the-flames-viceleaker-operation/90877/\r\nPage 5 of 10\n\nScreenshot of Conversations app on Google Play\r\nThe Conversations modified samples differ from the original one in the getKnownHosts method that was modified\r\nto replace the main XMPP host with the attackers’ C2 server:\r\nhttps://securelist.com/fanning-the-flames-viceleaker-operation/90877/\r\nPage 6 of 10\n\nComparison of the original “getKnownHosts” method (from Github) and the modified one\r\nIt appears that the attackers were using a specific C2 for the use of that app. Another important modification is in\r\nthe message transfer process:\r\nComparison of the original Conversations method with the modified once\r\nWith this modification, an application sends device location coordinates with every message.\r\nThere are also many other modifications, fully described in our private report. In addition, we did not see traces of\r\nthe Smali injection. In this case we found traces of dx/dexmerge compilers, which means that, this time, the\r\nhttps://securelist.com/fanning-the-flames-viceleaker-operation/90877/\r\nPage 7 of 10\n\nattackers just imported the original source code into an Android IDE (such as Android Studio, for instance) and\r\ncompiled it with their own modifications.\r\ndx/dexmerge compiler of the modified Conversations samples\r\nIn addition to adding the code, the attackers also changed the icon and package name. We do not know why, but\r\nwe suspect that it was an attempt to hide the origin of the application.\r\nConversations-based app mimics Telegram messenger\r\nEven when we originally thought this was a backdoored version of the Conversations app, used to infect victims,\r\nwe didn´t discovered anything malicious in it. This brought to us the hypothesis that this might be a version used\r\nby the group behind ViceLeaker for internal communication or for other, unclear purposes. All the detections of\r\nthis backdoored app were geolocated in Iran.\r\nBackdoored Conversations C2 server analysis\r\nDuring the analysis of the Smali injected apps and their C2 server infrastructure we hadn’t found any interesting\r\nclues, but things changed when we looked at the C2 server of the linked Conversations messenger. It uses\r\n“185.51.201[.]133” as a main C2 address, and there is only one domain that is hosted on this dedicated server –\r\niliageram[.]ir. Note that we later found versions that used the domain as a C2 directly instead of the IP address. The\r\nrecord contains a personal email address:\r\nhttps://securelist.com/fanning-the-flames-viceleaker-operation/90877/\r\nPage 8 of 10\n\nWHOIS records of C2 server exposing the attacker’s email address\r\nWe were aware of the possibility that the attackers might be using a compromised email account, so we dug deeper\r\nto find more information related to this email address. A quick search produced results about a personal page and,\r\nwhat is more interesting, a GitHub account that contains a forked Conversation repository.\r\nRelated Github account contains forked Conversations repository\r\nSummarizing all the found clues, we have the following attribution flow:\r\nhttps://securelist.com/fanning-the-flames-viceleaker-operation/90877/\r\nPage 9 of 10\n\nConclusion\r\nThe operation of ViceLeaker is still ongoing, as is our research. The attackers have taken down their\r\ncommunication channels and are probably looking for ways to assemble their tools in a different manner.\r\nKaspersky detects and blocks samples of the ViceLeaker operation using the following verdict: Trojan-Spy.AndroidOS.ViceLeaker.*\r\nActually, we are currently investigating whether this group might also be behind a large-scale web-oriented attack\r\nat the end of 2018 using code injection and exploiting SQL vulnerabilities. Even when this would not be directly\r\nrelated to the Android malware described in this blogpost, it would be an indicator of wider capabilities and\r\nobjectives of this actor.\r\nFor more information about the ViceLeaker operation, contact us at: intelreports@kaspersky.com\r\nSource: https://securelist.com/fanning-the-flames-viceleaker-operation/90877/\r\nhttps://securelist.com/fanning-the-flames-viceleaker-operation/90877/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" ], "report_names": [ "90877" ], "threat_actors": [ { "id": "e0b6d3fa-157c-45bf-b9e3-3aa9f9aa7de7", "created_at": "2022-10-25T16:07:24.024256Z", "updated_at": "2026-04-10T02:00:04.844251Z", "deleted_at": null, "main_name": "Operation ViceLeaker", "aliases": [], "source_name": "ETDA:Operation ViceLeaker", "tools": [ "Triout", "ViceLeaker" ], "source_id": "ETDA", "reports": null }, { "id": "b960c826-adff-49e8-97aa-017ceab56776", "created_at": "2023-01-06T13:46:39.036244Z", "updated_at": "2026-04-10T02:00:03.191243Z", "deleted_at": null, "main_name": "ViceLeaker", "aliases": [], "source_name": "MISPGALAXY:ViceLeaker", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434719, "ts_updated_at": 1775826766, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4fc435b9910d49c31616ca9577cb1b18ae24b15c.pdf", "text": "https://archive.orkl.eu/4fc435b9910d49c31616ca9577cb1b18ae24b15c.txt", "img": "https://archive.orkl.eu/4fc435b9910d49c31616ca9577cb1b18ae24b15c.jpg" } }