{
	"id": "611f8446-44a7-46f9-b122-2b878df6ffea",
	"created_at": "2026-04-06T00:11:53.768829Z",
	"updated_at": "2026-04-10T03:21:17.773608Z",
	"deleted_at": null,
	"sha1_hash": "6f25868a8280ce5d08fead5a4895660d004f9072",
	"title": "ViperRat - Mobile APT Targeting Israeli Defense Force",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62739,
	"plain_text": "ViperRat - Mobile APT Targeting Israeli Defense Force\r\nBy Lookout\r\nPublished: 2017-02-16 · Archived: 2026-04-05 22:47:06 UTC\r\nViperRAT is an active, advanced persistent threat (APT) that sophisticated threat actors are actively using to target\r\nand spy on the Israeli Defense Force. The threat actors behind the ViperRAT surveillanceware collect a significant\r\namount of sensitive information off of the device, and seem most interested in exfiltrating images and audio\r\ncontent. The attackers are also hijacking the device camera to take pictures.\r\nUsing data collected from the Lookout global sensor network, the Lookout research team was able to gain unique\r\nvisibility into the ViperRAT malware, including 11 new, unreported applications. We also discovered and\r\nanalyzed live, misconfigured malicious command and control servers (C2), from which we were able to identify\r\nhow the attacker gets new, infected apps to secretly install and the types of activities they are monitoring. In\r\naddition, we uncovered the IMEIs of the targeted individuals (IMEIs will not be shared publicly for the privacy\r\nand safety of the victims) as well as the types of exfiltrated content.\r\nIn aggregate, the type of information stolen could let an attacker know where a person is, with whom they\r\nare associated (including contacts’ profile photos), the messages they are sending, the websites they visit and\r\nsearch history, screenshots that reveal data from other apps on the device, the conversations they have in\r\nthe presence of the device, and a myriad of images including anything at which device’s camera is pointed.\r\nLookout has determined ViperRAT is a very sophisticated threat that adds to the mounting evidence that targeted\r\nmobile attacks against governments and business is a real problem.\r\nLookout researchers have been tracking this threat for the last month. Given that this is an active threat, we’ve\r\nbeen working behind-the-scenes with our customers to ensure both personal and enterprise customers are\r\nprotected from this threat and only decided to come forward with this information after the research team at\r\nKaspersky released a report earlier today.\r\nAdditionally, we have determined that though original reports of this story attribute this surveillanceware tool to\r\nHamas, this may not be the case, as we demonstrate below.\r\nThe increasing sophistication of surveillanceware\r\nThe structure of the surveillanceware indicates it is very sophisticated. Analysis indicates there are currently two\r\ndistinct variants of ViperRAT. The first variant is a “first stage application,” that performs basic profiling of a\r\ndevice, and under certain conditions attempts to download and install a much more comprehensive\r\nsurveillanceware component, which is the second variant.\r\nhttps://blog.lookout.com/viperrat-mobile-apt\r\nPage 1 of 3\n\nThe first variant involves social engineering the target into downloading a trojanized app. Previous reports alleged\r\nthis surveillanceware tool was deployed using ‘honey traps’ where the actor behind it would reach out to targets\r\nvia fake social media profiles of young women. After building an initial rapport with targets, the actors behind\r\nthese social media accounts would instruct victims to install an additional app for easier communication.\r\nSpecifically, Lookout determined these were trojanized versions of the apps SR Chat and YeeCall Pro. We also\r\nuncovered ViperRAT in a billiards game, an Israeli Love Songs player, and a Move To iOS app.\r\nThe second stage\r\nThe second stage apps contain the surveillanceware capabilities. Lookout uncovered nine secondary payload\r\napplications:\r\n* These apps have not been previously reported and were discovered using data from the Lookout global sensor\r\nnetwork, which collects app and device information from over 100 million sensors to provide researchers and\r\ncustomers with a holistic look at the mobile threat ecosystem today.\r\nNaming additional payload applications as system updates is a clever technique used by malware authors to trick\r\nvictims into believing a threat isn’t present on their device. ViperRAT takes this one step further by using its\r\ndropper app to identify an appropriate second stage ‘update’ that may go unnoticed. For example, if a victim has\r\nViber on their device, it will choose to retrieve the Viber Update second stage. If he doesn’t have Viber, the\r\ngenerically-named System Updates app gets downloaded and installed instead.\r\nWhat was taken\r\nThe actors behind ViperRAT seem to be particularly interested in image data. We were able to identify that 8,929\r\nfiles had been exfiltrated from compromised devices and that the overwhelming majority of these, 97 percent,\r\nwere highly likely encrypted images taken using the device camera. We also observed automatically generated\r\nfiles on the C2, indicating the actor behind this campaign also issues commands to search for and exfiltrate PDF\r\nand Office documents. This should be highly alarming to any government agency or enterprise.\r\nWe observed legitimate exfiltrated files of the following types of data:\r\nContact information\r\nCompressed recorded audio in the Adaptive Multi-Rate (amr) file format\r\nImages captured from the device camera\r\nImages stored on both internal device and SDCard storage that are listed in the MediaStore\r\nDevice geolocation information\r\nSMS content\r\nChrome browser search history and bookmarks\r\nCall log information\r\nCell tower information\r\nhttps://blog.lookout.com/viperrat-mobile-apt\r\nPage 2 of 3\n\nDevice network metadata; such as phone number, device software version, network country, network\r\noperator, SIM country, SIM operator, SIM serial, IMSI, voice mail number, phone type, network type, data\r\nstate, data activity, call state, SIM state, whether device is roaming, and if SMS is supported.\r\nStandard browser search history\r\nStandard browser bookmarks\r\nDevice handset metadata; such as brand, display, hardware, manufacturer, product, serial, radio version,\r\nand SDK.\r\nCommand and control API calls\r\nViperRAT samples are capable of communicating to C2 servers through an exposed API as well as websockets.\r\nBelow is a collection of API methods and a brief description around their purpose.\r\nOn attribution\r\nMedia reporting on ViperRAT thus far attributes this surveillanceware tool to Hamas. Israeli media published the\r\nfirst reports about the social networking and social engineering aspects of this campaign. However it’s unclear\r\nwhether organizations that later reported on ViperRAT performed their own independent research or simply based\r\ntheir content on the original Israeli report. Hamas is not widely known for having a sophisticated mobile\r\ncapability, which makes it unlikely they are directly responsible for ViperRAT.  \r\nViperRAT has been operational for quite some time, with what appears to be a test application that surfaced in late\r\n2015. Many of the default strings in this application are in Arabic, including the name. It is unclear whether this\r\nmeans early samples were targeting Arabic speakers or if the developers behind it are fluent in Arabic.\r\nThis leads us to believe this is another actor.\r\nWhat this means for you\r\nAll Lookout customers are protected from this threat. However, the existence of threats like ViperRAT and\r\nPegasus, the most sophisticated piece of mobile surveillanceware we’ve seen to date, are evidence that attackers\r\nare targeting mobile devices.\r\nMobile devices are at the frontier of cyber espionage, and other criminal motives. Enterprise and government\r\nemployees all use these devices in their day-to-day work, which means IT and security leaders within these\r\norganizations must prioritize mobile in their security strategies.\r\nInterested in learning more about threats like ViperRAT? Contact Lookout today to get details about our Threat\r\nAdvisory Service and Lookout Mobile Endpoint Security.  \r\nSource: https://blog.lookout.com/viperrat-mobile-apt\r\nhttps://blog.lookout.com/viperrat-mobile-apt\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://blog.lookout.com/viperrat-mobile-apt"
	],
	"report_names": [
		"viperrat-mobile-apt"
	],
	"threat_actors": [],
	"ts_created_at": 1775434313,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f25868a8280ce5d08fead5a4895660d004f9072.pdf",
		"text": "https://archive.orkl.eu/6f25868a8280ce5d08fead5a4895660d004f9072.txt",
		"img": "https://archive.orkl.eu/6f25868a8280ce5d08fead5a4895660d004f9072.jpg"
	}
}