{
	"id": "c6fa7b9e-fc7f-40f5-9661-206f6aa82eac",
	"created_at": "2026-04-06T00:19:10.146634Z",
	"updated_at": "2026-04-10T03:31:36.781715Z",
	"deleted_at": null,
	"sha1_hash": "9cc78803c4e157c1c98d2fad79a8051acd9ed80c",
	"title": "Avast tracks down Tempting Cedar Spyware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1228229,
	"plain_text": "Avast tracks down Tempting Cedar Spyware\r\nBy Threat Intelligence Team 21 Feb 2018\r\nArchived: 2026-04-05 19:18:56 UTC\r\nSocial engineering used to trick Facebook users into downloading Advanced Persistent Threat disguised as Kik\r\nMessenger app.\r\nA few months ago, one of our customers contacted us regarding strange messages he received on Facebook\r\nMessenger. The messages came from fake Facebook profiles belonging to attractive, but fictitious women. These\r\nwomen encouraged him to download another chat application to continue their conversations. The chat application\r\nthe women referred him to was spyware, disguised as the Kik Messenger app, distributed through a very\r\nconvincing fake site.\r\nAfter analyzing the fake Kik Messenger app, we spotted the spyware, or Advanced Persistent Threat (APT). We\r\nare calling the APT “Tempting Cedar Spyware”. We dug deeper into our archives and found APKs belonging to\r\nseveral fake messenger and feed reader apps, all of which included the same malicious modules.\r\nDuring our analysis, we also discovered that our customer was not the only person to encounter the Tempting\r\nCedar Spyware, and, unfortunately, many fell for the trap.\r\nTempting Cedar Spyware was designed to steal information like contacts, call logs, SMS, and photos, as well as\r\ndevice information, like geolocation - in order to keep track of movements - and was capable of recording\r\nsurrounding sounds, including conversations victims had while their phone was within range.\r\nBased on various clues from the fake Facebook profiles and the campaign infrastructure, we believe the people\r\nbehind the Tempting Cedar Spyware are Lebanese. The campaign was highly targeted and ran deep under the\r\nradar. At the moment, Avast is one of few mobile antivirus providers detecting the threat. Our detection is\r\nAndroid:SpyAgent-YP [Trj].\r\nDue to the potential impact on the victims targeted with the malware, we contacted law enforcement agencies to\r\nhelp us with threat mitigation.\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 1 of 15\n\nnull\r\nInfection vector\r\nMore than just Facebook friends\r\nThe malware was distributed using several fake Facebook profiles. After engaging in flirty conversations with\r\ntheir victims, which were most likely young men, the attackers offered to move the conversation from Facebook\r\nto a more “secure and private” platform, where they could have more intimate interactions. Then, the attackers\r\nsent a link to the victims, that led to a phishing website, which hosted a downloadable and malicious version of\r\nthe Kik Messenger app. The victims had to adjust their device settings to install apps from unknown sources,\r\nbefore installing the fake messaging app. This should raise red flags for users, however, sometimes temptation\r\ntrumps security.\r\nOnce the malware was installed, it immediately connected to a command and control (C\u0026C) server.\r\nThe spyware was spread using at least the following three fake Facebook profiles. We have blurred the photos, as\r\nthe photos used for the fake accounts were stolen from real people:\r\nAlona\r\nnull\r\nRita\r\nnull\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 2 of 15\n\nChristina\r\nOne interesting point to note is that the three girls interacted with one another on Facebook, perhaps to make their\r\nprofiles appear a bit more credible:\r\nnull\r\nnull\r\nAbove: A screenshot of how the attackers convinced their victims to install the fake Kik Messenger application.\r\nThe website used to distribute a malicious copy of the Kik Messenger app, chat-messenger.site (185.8.237.151),\r\noperated until spring 2017 and was a very convincing copycat.\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 3 of 15\n\nDeep analysis\r\nThe Tempting Cedar Spyware is split into different modules with specific commands. There are several modules\r\ndesigned to gather personal information about the victim, including contacts, photos, call logs, SMS, as well as\r\ninformation about the mobile device, such as geolocation, Android version, device model, network operator, and\r\nphone numbers.\r\nOther modules were created to record audio streams or gain access to the infected device’s file system.\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 4 of 15\n\nAll modules with commands:\r\nModule name Commands\r\nAUDIO START, STOP, RECORD_START, RECORD_STOP\r\nCONTACTS COUNT, GET\r\nFS (File System)\r\nAPP, CD, DOWNLOAD, DOWNLOAD_STATUS, EXTERNAL, GET, INSTALL,\r\nINTERNAL, LS, MKDIR, PWD, RM\r\nGEO GETLOC\r\nINFO /\r\nUSER_INFO\r\nPS (running apps process list)\r\nPHOTOS LSX, GETX, LSI, GETI, TAKEPIC_FRONT, TAKEPIC_BACK\r\nTELEPHONE COUNT_CALL_LOGS, COUNT_SMS, GET_CALL_LOGS, GET_SMS\r\nKEEPALIVE without commands\r\nPING not implemented\r\nVIDEO not implemented\r\nThe spyware persisted as a service and ran after every reboot.\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 5 of 15\n\nThe fake Kik application contains the same injected malicious class eighty9.guru and a specific rsdroid.crt file\r\nwith different certificates belonging to the C\u0026C domain.\r\nThrough the reuse of the same rsdroid.crt certificate name, we were able to find additional C\u0026C and data\r\nexfiltration servers.\r\nAll rsdroid.crt certificates from the fake APK:\r\nIssued to Valid from Valid to Serial number\r\ngserv.mobi 2015-04-28 2020-04-01 00fe4b81ee781fe486\r\nnetwork-lab.info 2016-03-29 2026-03-27 0090400fbd572edcc6\r\nonlineclub.info 2017-05-24 2027-05-22 00e7238783cc4e87de\r\nfree-apps.us 2017-08-24 2035-11-08 00b6965aa72d97446d\r\nC\u0026C administration and infrastructure\r\nFollowing their victims’ every step\r\nThe malware communicated on the TCP port 2020, but it is also worth mentioning that there was also a C\u0026C\r\nconsole running on port 443 with a familiar certificate subject common name - rsdroid.\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 6 of 15\n\nThe C\u0026C console allowed attackers to live track their victims. The image below does not include any data, as we\r\ndon’t want to disclose any of the victims’ locations, but shows the region where Tempting Cedar was spread the\r\nmost:\r\nOther hosts with this common name are easy to find using open source tools:\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 7 of 15\n\nAbove: Open source data about the C\u0026C server hosts\r\nWe created an image of the computer infrastructure used in the campaign:\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 8 of 15\n\nAll signs point to Lebanon\r\nIt is always difficult to attribute persistent threat campaigns, like this one, to cybercriminals. However, pieces of\r\ninformation point to the cybercriminals behind this campaign being Lebanese.\r\nThe first clue that led us to this conclusion are the attackers’ working hours. We only saw about 30 logins in the\r\nSSH log we received. The user root logged on on workdays, occasionally on Saturdays, but never on Sundays.\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 9 of 15\n\nThe working hours in the SSH log correspond with Eastern European and Middle Eastern time zones.\r\nThe second breadcrumb we found was the infrastructure used in the campaign, which also points to Lebanon.\r\nWHOIS data revealed that two domains used were registered by someone from Lebanon, whereas others were\r\nregistered with fictitious registrant data.\r\nChat-world.site was registered by Jack Zogby, Beirut, Lebanon, jack.zogby@yandex.com\r\nNetwork-lab.info was registered by Jack Halawani, Beirut, Lebanon, jack.halawani@yandex.com\r\nOver the last two years, SSH logins were made from Lebanese ISPs’ IP ranges. ( 185.99.32.0/22, 78.40.183.0/24)\r\nOne of the fake Facebook profile’s likes are also interesting, and if any of the victims had taken a closer look at\r\nthese, they may not have fallen for the scam. Rita, the petite brunette, seems to be interested in military groups,\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 10 of 15\n\nand a Lebanese and Israel friendship.\r\nnull\r\nAbove: Rita’s likes on Facebook\r\nThe Lebanon \u0026 Israel Friendship connection group is interesting when considering the the victims’ locations.\r\nWhile we observed a low number of victims from the USA, France, Germany, and China, the majority of victims\r\nwere from the Middle East, with most of the victims located in Israel:\r\nAbove: Map showing the countries most of the victims came from\r\nConclusion\r\nThe targeted Tempting Cedar campaign has been running under the radar since as far back as 2015, targeting\r\npeople in Middle Eastern countries. The spyware’s infection vector involves social engineering using attractive,\r\nbut fictitious Facebook profiles. The fake Kik APK sent to victims is masqueraded as a legitimate Kik Messenger\r\napp, however, after gaining access to victims’ phones, the spyware starts to exfiltrate sensitive data, sending data\r\nback to the attacker’s infrastructure. Evidence points to the attackers being a Lebanese hacking group; however,\r\nwe cannot be 100% sure this is true. The social engineering part of the campaign seems to have targeted people in\r\nEastern European and Middle Eastern countries.\r\nDespite unsophisticated techniques and the level of operational security being used, the attack managed to remain\r\nundetected for several years.\r\nThe cybercriminals behind the Tempting Cedar Spyware were able to install a persistent piece of spyware by\r\nexploiting social media, like Facebook, and people’s lack of security awareness, and were thus able to gather\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 11 of 15\n\nsensitive and private data from their victims’ phones including real-time location data which makes the malware\r\nexceptionally dangerous.\r\nSteps to take to protect yourself against spyware\r\nHere are a few things you can do to avoid being manipulated like this into downloading spyware:\r\nUse antivirus software. Even if you accidentally download malware onto your phone, Avast will detect\r\nand remove the malware, to keep your data and privacy safe.\r\nDon’t talk to strangers. There is a reason why parents have been warning kids about talking to strangers\r\nand this case confirms that talking to strangers online is no different and is not a good idea.\r\nNever open links or download software sent to you from untrusted sources. The victims of this\r\nspyware campaign were tricked into downloading the spyware themselves because they trusted the girls\r\nthey were talking to online, despite never meeting them in person. On top of this, they ignored Android’s\r\nwarnings about downloading apps from unknown sources.\r\nDownload from the source. Whenever possible, visit the homepage of an established company directly -\r\nby typing in the URL yourself - as they often promote their mobile apps on their websites and download\r\nthe app straight from the source. Had the victims done this, they would have avoided the fake and\r\nmalicious Kik app. The “girls” probably would have stopped talking to them, but that would have been for\r\ntheir own good!\r\nIOCs\r\nFake Kik messenger SHA256:\r\nnull\r\n041136252FFEF074B0DEBA167BD12B8977E276BAC90195B7112260AB31DDB810\r\n2807AB1A912FF0751D5B7C7584D3D38ACC5C46AFFE2F168EEAEE70358DC90006\r\n3065AD0932B1011E57961104EB96EEE241261CB26B9252B0770D05320839915F\r\n5259AD04BDEA3F41B3913AA09998DB49553CE529E29C868C48DF40D5AA7157EA\r\n624A196B935427A82E8060876480E30CE6867CB9604107A44F85E2DA96A7A22E\r\n9D1FDA875DE75DEA545D1FF84973B230412B8B4946D64FF900E9D22B065F8DCC\r\nB181F418F6C8C79F28B1E9179CAEFEB81BDF77315814F831AF0CF0C2507860C4\r\nD7A4ABA5FC2DEE270AE84EAC1DB98B7A352FB5F04FD07C3F9E69DE6E58B4C745\r\nF67469C82E948628761FDFD26177884384481BA4BDBC15A53E8DF92D3F216648\r\nFE2996BC0C47C0626F43395EEE445D12E7C024C1B0AA2358947B5F1D839A5868\r\nFake Datasettings SHA256:\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 12 of 15\n\nnull\r\n1DEB727C05AA5FABF6224C0881970ACA78649A799EEB6864260DE97635FA005A\r\n94ADF4C8A27722307C11F6C0376D4A51CFD56BA3CC47F9E5447179D1E0F7289F\r\nA411A587B4256007F0E0A3C3A3C3097062242B5359A05A986195E76DA7334B7D\r\nFake feedreader SHA256:\r\nnull\r\n58F74545D47F5DA1ECF3093F412D7D9544A33D36430AB1AF709D835A59184611\r\nDomains:\r\nchat-world.site\r\nchat-messenger.site\r\ngserv.mobi\r\narab-chat.site\r\nonlineclub.info\r\nfree-apps.us\r\nnetwork-lab.info\r\nkikstore.net\r\nIPs (including historic records):\r\n185.166.236.134\r\n46.28.109.69\r\n5.135.207.244\r\n31.31.75.174\r\n155.94.136.10\r\n213.32.65.238\r\n84.200.17.154\r\n185.8.237.151\r\n213.32.65.238\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 13 of 15\n\n5.45.176.236\r\n46.101.199.72\r\n185.99.32.0/22\r\n78.40.183.0/24\r\nRsdroid certificate serial numbers:\r\n10418450096179084191\r\n11696648495248868788\r\n13367542350555075590\r\n17798583036840002648\r\n17362149250016288818\r\n11008990750836915855\r\n12430448762037889566\r\n12941986373589998425\r\n14237693369114233902\r\n15175240657458101230\r\n18263349974554467657\r\n10031168301806868687\r\n12450086912549212859\r\n13469158752397659430\r\n13887786183890428647\r\n15448206077875179259\r\n15525317917180712785\r\n16639512314094306104\r\n10671561344391424094\r\n14360088739535268901\r\n16495367076336282102\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 14 of 15\n\n15684750702817909758\r\n17908820252718507450\r\n10302454590553748328\r\nFake FB profiles:\r\nfacebook.com/profile.php?id=100013563997788\r\nfacebook.com/profile.php?id=100011377795504\r\nfacebook.com/profile.php?id=100011891805784\r\nSource: https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nhttps://blog.avast.com/avast-tracks-down-tempting-cedar-spyware\r\nPage 15 of 15\n\n  https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware  \nAbove: Open source data about the C\u0026C server hosts \nWe created an image of the computer infrastructure used in the campaign:\n   Page 8 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware"
	],
	"report_names": [
		"avast-tracks-down-tempting-cedar-spyware"
	],
	"threat_actors": [
		{
			"id": "8aa5e5a6-87dd-4700-b5a2-11e08218132e",
			"created_at": "2022-10-25T16:07:24.316497Z",
			"updated_at": "2026-04-10T02:00:04.933194Z",
			"deleted_at": null,
			"main_name": "Tempting Cedar Spyware",
			"aliases": [],
			"source_name": "ETDA:Tempting Cedar Spyware",
			"tools": [
				"Tempting Cedar Spyware",
				"TemptingCedar Spyware"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434750,
	"ts_updated_at": 1775791896,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9cc78803c4e157c1c98d2fad79a8051acd9ed80c.pdf",
		"text": "https://archive.orkl.eu/9cc78803c4e157c1c98d2fad79a8051acd9ed80c.txt",
		"img": "https://archive.orkl.eu/9cc78803c4e157c1c98d2fad79a8051acd9ed80c.jpg"
	}
}