{
	"id": "3e639133-053f-4595-8414-b670d0e732c2",
	"created_at": "2026-04-06T00:16:17.833385Z",
	"updated_at": "2026-04-10T03:31:36.786695Z",
	"deleted_at": null,
	"sha1_hash": "b935d6a51a14e8a1eb2a9e22c337cca1aae3b192",
	"title": "Hacking group used Facebook lures to trick victims into downloading Android spyware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44591,
	"plain_text": "Hacking group used Facebook lures to trick victims into\r\ndownloading Android spyware\r\nBy Danny Palmer\r\nPublished: 2018-02-22 · Archived: 2026-04-05 20:40:41 UTC\r\nA hacking campaign used fake Facebook profiles to trick targets into downloading malware capable of stealing\r\nvast swathes of information, including messages, photos, audio recordings and even the exact location of victims.\r\nThe group has been operating since as early as 2015 and is thought to have infected the Android phones of\r\nhundreds selected targets across the Middle East. The the highest concentration of infections is in Israel, but\r\nvictims have also been seen in the US, China, Germany and France.\r\nUncovered by researchers at Avast, the operation has been dubbed 'Tempting Cedar Spyware'. The name combines\r\nthe main means of attack - by tricking victims using fake social media profiles purporting to be those of a young\r\nwoman - with the Cedar tree, which features prominently on the flag of Lebanon.\r\nThe campaign for distributing the malware begins with fake Facebook profiles which are designed to lure in\r\nvictims - predominantly men - with 'flirty' conversations.\r\nAt least three Facebook accounts - Alona, Rita and Christina - use a series of images stolen from online profiles of\r\nreal people and even interact with one another in an effort to make the catfishing accounts appear more authentic.\r\navast-alona.png\r\nOne of the Facebook profiles used to distribute malware.\r\nImage: Avast\r\nThose behind the fake accounts send suggestive Facebook messages to their selected targets, before asking that\r\nthe chat is taken to a more \"secure and private\" platform for further messages in what's really a ploy to infect the\r\ntarget with malware.\r\nVictims are sent a link to install what they're told is the Kik messaging platform in order to continue the\r\nconversation.\r\nIf the target goes through with the installation - which requires them to allow apps to be installed from unknown\r\nsources - they're provided with a very convincing copy of Kik, but one which is laced with commands for\r\nconducting espionage.\r\nThe malware contains a variety of modules for collecting information about the victim, including their contacts,\r\nphotos, call logs and text messages, as well as information about the device including its geolocation - meaning\r\nthe user can be physically tracked - number, network operator and model.\r\nhttps://www.zdnet.com/article/hacking-group-uses-facebook-lures-to-trick-victims-into-downloading-android-spyware/\r\nPage 1 of 2\n\nTempting Cedar spyware is even capable of recording audio, meaning it is able to secretly record the\r\nconversations of users, as well as anyone else within earshot of the device. It isn't, however, capable of spreading\r\nitself across networks from an infected device.\r\nSee also: What is phishing? Everything you need to know to protect yourself from scam emails and more\r\nWhat researchers have determined is that the operation runs out of Lebanon. The 'working hours' of the campaign\r\nmatch up with a Middle Eastern time-zone, but more significantly, a trail points to the domains of the links used to\r\ndistribute the malware being registered by a user in Lebanon, with logins from Lebanese IP addresses.\r\nHowever, researchers note that it's rarely one hundred percent possible to attribute attacks to particular threat\r\nactors.\r\nIt's unclear if this particular operation is still currently active, but Tempting Cedar is known to have still been\r\ntrying to attempt to infect victims just a few months ago - it's how the hacking operation came to the attention of\r\nresearchers, who are now working with law enforcement to combat the the effects of the campaign.\r\n\"We are working in parallel with a law enforcement agency that is following standard procedure to collaborate\r\nwith other local agencies in the respective countries,\" said Michal Salat, Threat Intelligence Director at Avast\r\nWhile the method of attack appears crude, it has been effective, infiltrating devices of hundreds of targets over a\r\nsustained period of time.\r\n\"The cybercriminals behind the Tempting Cedar Spyware were able to install a persistent piece of spyware by\r\nexploiting social media, like Facebook, and people's lack of security awareness, and were thus able to gather\r\nsensitive and private data from their victims' phones including real-time location data which makes the malware\r\nexceptionally dangerous,\" said an Avast blog post.\r\nA simple techniques which victims could've employed to avoid falling victim to Tempting Cedar is to not reply to\r\nunsolicited messages received from a stranger on the internet and especially not to click on any links which they\r\nsend.\r\nIt's also good practice to only download applications from trusted marketplaces, instead of from strange links.\r\n\"Had the victims done this, they would have avoided the fake and malicious Kik app,\" said researchers. \"The\r\n\"girls\" probably would have stopped talking to them, but that would have been for their own good!\"\r\nREAD MORE ON CYBER CRIME\r\nHow these fake Facebook and LinkedIn profiles tricked people into friending state-backed hackers\r\nHow to become a master cyber-sleuth [TechRepublic]\r\nHackers are using this Android malware to spy on Israeli soldiers\r\nYes, that free iPhone X offer is too good to be true [CNET]\r\nFacebook Messenger user? Watch out for fake messages rigged with malware\r\nSource: https://www.zdnet.com/article/hacking-group-uses-facebook-lures-to-trick-victims-into-downloading-android-spyware/\r\nhttps://www.zdnet.com/article/hacking-group-uses-facebook-lures-to-trick-victims-into-downloading-android-spyware/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/hacking-group-uses-facebook-lures-to-trick-victims-into-downloading-android-spyware/"
	],
	"report_names": [
		"hacking-group-uses-facebook-lures-to-trick-victims-into-downloading-android-spyware"
	],
	"threat_actors": [
		{
			"id": "8aa5e5a6-87dd-4700-b5a2-11e08218132e",
			"created_at": "2022-10-25T16:07:24.316497Z",
			"updated_at": "2026-04-10T02:00:04.933194Z",
			"deleted_at": null,
			"main_name": "Tempting Cedar Spyware",
			"aliases": [],
			"source_name": "ETDA:Tempting Cedar Spyware",
			"tools": [
				"Tempting Cedar Spyware",
				"TemptingCedar Spyware"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434577,
	"ts_updated_at": 1775791896,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b935d6a51a14e8a1eb2a9e22c337cca1aae3b192.pdf",
		"text": "https://archive.orkl.eu/b935d6a51a14e8a1eb2a9e22c337cca1aae3b192.txt",
		"img": "https://archive.orkl.eu/b935d6a51a14e8a1eb2a9e22c337cca1aae3b192.jpg"
	}
}