{ "id": "65c07d68-fef1-4134-b07b-d0451fffb9ff", "created_at": "2026-04-06T00:09:46.573942Z", "updated_at": "2026-04-10T13:12:03.514985Z", "deleted_at": null, "sha1_hash": "ef141033abc36d8b122400d11e978cf6af4a6edc", "title": "Nation-State Mobile Malware Targets Syrians with COVID-19 Lures", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2615614, "plain_text": "Nation-State Mobile Malware Targets Syrians with COVID-19\r\nLures\r\nBy Lookout\r\nPublished: 2020-04-15 · Archived: 2026-04-05 21:38:37 UTC\r\nLookout researchers have uncovered a long-running surveillance campaign tied to Syrian nation-state actors,\r\nwhich recently started using the novel coronavirus as its newest lure to entice its targets to download malware.\r\nThis campaign appears to have been active since the start of January 2018, and targets Arabic-speaking users,\r\nlikely in Syria and the surrounding region. None of these apps were available on the official Google Play Store,\r\nsuggesting they were likely distributed through actor-operated watering holes or third-party app stores. Lookout\r\npreviously reported on another surveillanceware campaign using COVID-19 related lures targeting Libya.\r\nApplications from this surveillance campaign impersonate a variety of applications, with titles such\r\nas “Covid19”, “Telegram Covid_19”, “Android Telegram”, and “Threema Arabic” (an end-to-end\r\nencrypted messaging application), as well as a phone signal booster and OfficeSuite application.\r\n Package names also allude to Syrian targeting, with names such as “com.syria.tel”,\r\n“syria.tel.ctu”, and “com.syriatel.ctu”.\r\nSyrian connections\r\nLookout researchers found 71 malicious Android applications connected to the same command-and-control (C2)\r\nserver. The IP address of the C2 server is located in a block of addresses held by Tarassul Internet Service\r\nProvider, an ISP owned by – and sharing network infrastructure with – the Syrian Telecommunications\r\nEstablishment (STE) (Freedom House, 2018). STE has a history of hosting infrastructure for the Syrian Electronic\r\nArmy (SEA), a Syrian state-sponsored hacking group. Notably, the C2 servers of SilverHawk, an Android\r\nmalware family previously reported on by Lookout researchers, were located on IP addresses belonging to STE.\r\nhttps://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures\r\nPage 1 of 8\n\nNot all applications in this campaign were completely scrubbed of sensitive information when they were created.\r\n A large portion of the malicious applications are SpyNote samples, which store C2 information, along with user\r\ninputted names, version numbers, and other information, in res/values/strings.xml. In the strings.xml files of these\r\napplications, 22 APKs reference “Allosh”, a name previously used in connection with a known Syrian Electronic\r\nArmy persona.\r\nPrevious strings appearing in other malware associated with the Syrian Electronic Army contain this name, such\r\nas “c:\\users\\allosh hacker\\documents\\visual studio 2012\\Projects\\allosh\\allosh\\obj\\Debug\\Windows.pdb”\r\nmentioned in reporting by Citizen Lab on the SEA malicious repackaging of the Psiphon 3 circumvention tool,\r\nand “c:\\Users\\Allosh Hacker\\Desktop\\Application\\obj\\Debug\\Clean Application.pdb” from pdb paths discovered\r\nin binaries associated with SilverHawk infrastructure.\r\nScreenshot of a strings.xml file, and all unique personas discovered in this campaign.\r\nThe Syrian Electronic Army has been active recently, with one of their Twitter accounts claiming responsibility\r\nthis month for DDoS attacks against Belgian media, as well as defacing PayPal and eBay websites as recently as\r\nApril 7, 2020.\r\nhttps://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures\r\nPage 2 of 8\n\nTwo of the most recent claims by @Official_SEA7, one of the Syrian Electronic Army’s multiple\r\nTwitter accounts which has been active since 2013.\r\nSyrian authorities are known to heavily censor their country’s internet, with Syria ranking 174th on Reporters\r\nWithout Borders 2019 World Press Freedom Index. In addition, according to the 2018 Freedom of the Net Report\r\npublished by Freedom House, an NGO which conducts research and advocacy on democracy, political freedom,\r\nand human rights, “In areas controlled by the government, the Syrian Telecommunications Establishment (STE)\r\nserves as both an ISP and the telecommunications regulator, providing the government with tight control over the\r\ninternet Infrastructure. Furthermore, private fixed-line and mobile ISPs are required to sign a memorandum of\r\nunderstanding to connect to the international internet via gateways controlled by the Syrian Information\r\nOrganization (SIO)” (Freedom on the Net 2018).\r\nAfter installation, the original Covid19 application hides its icon and only displays the newly\r\ninstalled Degree Measure application.\r\nhttps://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures\r\nPage 3 of 8\n\nThe newly installed application (com.finger.body.temperature.ap) is a benign prank - a fake digital thermometer\r\nthat serves as a decoy. Meanwhile the malware continues to operate in the background.\r\nThe user holds down on the screen on the fingerprint and is informed that their body temperature is\r\n35°C.\r\nSome AndoServer samples are purely surveillanceware that do not even pretend to be anything else, while others,\r\nlike this sample here, contain legitimate applications inside the malware, with the benign APK hidden in the\r\nres/raw folder.                    \r\nAndoServer samples receive commands, and are capable of:\r\nTaking a screenshot\r\nGetting battery levels and if the device is plugged in\r\nReporting location (latitude and longitude)\r\nGetting a list of installed applications\r\nLaunching an application specified by the malicious actor\r\nhttps://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures\r\nPage 4 of 8\n\nChecking the number of cameras on a device\r\nChoosing a specific camera to access\r\nCreating a specific pop-up message (toast)\r\nRecording audio\r\nCreating a file on external storage\r\nExfiltrating call logs\r\nListing files contained in a specified directory\r\nCalling a phone number\r\nExfiltrating SMS messages\r\nSending SMS to a phone number\r\nExfiltrating the contact list\r\nPlaying a ringtone and then sleeping\r\nAndoServer malware has its C2 domain or IP address hard coded into the source code.  Each sample also has its\r\nown unique identifier string at the start of its communication with C2 servers, that appears to be for the actor to\r\nmonitor which application in their arsenal is responsible for the compromise, as they can see the unique\r\napplication installed by the specific victim. While not always the case, some unique identifiers are similar to the\r\nname of the C2 domain, while other times they refer to the title of the application, highlighting another level of\r\ncustomization of this malware.\r\nPrevalence of commercial surveillanceware\r\nOf the malicious applications in this campaign, 64 of 71 are SpyNote samples, a well known commercial\r\nsurveillanceware family. The remainder belong to the SandroRat, AndoServer, and SLRat families, of which the\r\nlatter two have not yet been publicly reported on.\r\nSLRat appears to have gained popularity since its developer first publicized it in May 2016, advertising it as “the\r\nBest and Free android remote admin tool”, while AndoServer has not yet been seen for sale or mentioned on\r\npublic forums. Based on samples ingested to date however, Lookout researchers believe it is also a customizable\r\nAndroid malware that may be for sale, or only known about and used by a smaller group of operators.\r\nGiven Syria’s history of censorship and past mobile and desktop surveillance campaigns, it should come as no\r\nsurprise that another campaign is active. SilverHawk actors initially entered the mobile malware space using the\r\ncommercial Android surveillanceware AndroRat, before customizing it and then developing their own mobile\r\ntooling. It is in line with known TTPs that a new commercial or public spy tool might have been adopted and used\r\nby this actor as part of new surveillance efforts, and there are likely more to be discovered.\r\nhttps://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures\r\nPage 5 of 8\n\nLookout has been ingesting samples from the AndoServer and SJRat families since 2016, and has\r\nseen a spike in activity towards the end of 2019.\r\nIOCs (SHA1 hashes of the malicious apps):\r\n1aefc2ebaf1a78f23473ce6275b0b514bbcdfb08\r\n213b7f8c3f26a87b116927143289886742b979a1\r\n321682c8395216b6f71ac1f4a1188040bbddfeb4\r\n8cae26c899440f890a8faca2e63ba42c0195cd3b\r\nccb143b25cedf043a8be46a1f3c3f8a0a3e4c2b2\r\n61ecf4d82246a22dc2d390eca1e20abd6b961083\r\n1e30cc843a32db0296502795781f8064adbceee6\r\na07370617fa695b047359ac345375d05a7135da0\r\n915e3470e5ab85cb1fe565484b15004a19e88da6\r\n3bfa1b4d98c02c43e7b3af9e536dbcd79e0b9197\r\nd14bb8de94e6f6a733b0962c6d0847376286874f\r\n3c5fd8b163b32cde47dd50c4b61ab087c0cad8d4\r\n4dcc2d9ef4921b3eb4e4dc72dd3716520d558102\r\n07c1edf35c60ea6f2ff02df6e0bfa24abb3029c1\r\n50c607a138e33c8cbdcf2f617f61095b7efa06da\r\nb1a9bc32ece469d7e2d43e894e68cb3bec17ac82\r\n34cb80d4e5d19fcaf724b73aacfebbb19c79337e\r\nc21919c6064c739533878da39d0feaf83e99f586\r\na62250430da13436b80a62f6a1fee67ed0050e37\r\n246a17230dbe8a5c533231fa1da80d977985b111\r\n358653280acdfd84b6ca326c9b06d12878af69c8\r\n4ec39acfc6f3f9715d0d0e2b0a2f7121d617b605\r\n9f09a4868f61d174ad075e5acaa8d849294dbf69\r\n8952bdf2e3d777d01011e6f8619fca8835e8c434\r\nhttps://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures\r\nPage 6 of 8\n\nb9dffff37efbfb8e577ee242c8807db967704a0d\r\n5f6019eae4a16abd11d981b2da5d4ef05115a5c4\r\n0b7cf990bb0dc62dd44d9fa6410ca591dfe47a5d\r\n08162ad39a6237e4eebacf764a5ca6158816a86e\r\nf2fb9826da43f92ff69686f999f205502a33342c\r\nc2e5287433a0e3c7d059494e65b87c3c36f74a47\r\nc7405d85a78a62003494f398084cff8f1794e2ab\r\n16c9ef6ed5af0855a3e6b963ff9c2d65d70de11e\r\nbae5c56d3cd888ec19c42bf5d782de327d012a37\r\n34cc91ad64f52420b6e1531c097ac1602af1f089\r\n00455a4652faf751753b5ebfbb0656bee530f4ef\r\nb263eec151b11d0a6ebcfcf37b3b98458d2d530c\r\n18cc448d71437e7a72558f6680ff10fb234fc64f\r\n6a68f8d962adae7d767b6dfeb2d5b90be412b1f1\r\n0fdc50226a7eb9aee6e6422907425d4531290374\r\naa43f78a2667909546c3cd993a2940b076634379\r\n5b2e709dfc95e9fc4e4343b92c76cc2193acd49a\r\ne6962b122e14e59c7c88a25d405d6c653b31590e\r\n9c83fdecc8429bc278d03116ca9e2cff5013987e\r\n53653984310845988103051e7acf4ed336150b99\r\n18451fc0e8fbe878f242e7ee1834091c455f8fc1\r\n0f7bf07352b4d1852f651dda350fd446b3477740\r\n615863ce030f3de3e377352637d6ecc55dfd185a\r\nb46b241620a4d5682e9083ce726827fdbf4a96e5\r\nab259f11163ea51767a6b17855bc0e79a8ae96e4\r\n447165f88f951f8d26bc721f3047533a54f59ce0\r\n29e04da270da0a6bedfcaee3f6fe8251d6cdef31\r\n6cebf3c27fb348272b72041451b232f78190f83d\r\ne99ebc998ab63026b9b40fff55037c1b69a80369\r\nddf2b474a0ed1b47278d00872a84d2a2405cc33c\r\n01963c9c70102961cb8b424f623e9be32d7b255b\r\n8d664c9753f7bf65a8cce69dca5486971d1f06ca\r\n2d01b7691ce5647e60c566eda33166bf2e9bcc53\r\n44d8bc4406227aeec9711b74f771c05ddfd3d173\r\n0c04da70ba0771734f99eba05a5676713675d0e8\r\n37e11e1a45f166b16170e8d649c3b75ee93e90a8\r\ndbfbfe43f04c58bcf5daa71df61dcc354bbf2d27\r\ndc3778ffb7399e009a287983f0113e15fd8b227e\r\n1a0a65e6b4a2c42e5dc3d7db2179c04952a03948\r\n69f475024e006b51f7ec6a1990bad460fe9805f0\r\na32900a79d459da90e49ee8acf23dcfd03bfcb4b\r\n5c8bf130f8e5c7756674a6d376dd7f25fbded4e4\r\nhttps://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures\r\nPage 7 of 8\n\nKristin Del Rosso\r\nSecurity Research Engineer\r\nKristin Del Rosso is a security researcher with a primary focus on reverse engineering Android applications. She\r\nworks with her team to uncover new mobile threats, track actors and targets, and provide accurate research and\r\nreporting on these issues. She has spoken at BlackHat EU and NSEC on state-sponsored malware campaigns, and\r\nvolunteers with Day of Shecurity, an organization aimed at tackling the gender diversity issue in cybersecurity.\r\nSource: https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures\r\nhttps://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures" ], "report_names": [ "nation-state-mobile-malware-targets-syrians-with-covid-19-lures" ], "threat_actors": [ { "id": "76fc6d92-0710-4640-bfa7-3000fe3940a5", "created_at": "2022-10-25T16:07:24.251595Z", "updated_at": "2026-04-10T02:00:04.911951Z", "deleted_at": null, "main_name": "Syrian Electronic Army (SEA)", "aliases": [ "ATK 196", "Deadeye Jackal", "Syria Malware Team", "Syrian Electronic Army", "TAG-CT2" ], "source_name": "ETDA:Syrian Electronic Army (SEA)", "tools": [ "AndoServer", "CypherRat", "SLRat", "SandroRAT", "SilverHawk", "SpyNote", "SpyNote RAT" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434186, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ef141033abc36d8b122400d11e978cf6af4a6edc.pdf", "text": "https://archive.orkl.eu/ef141033abc36d8b122400d11e978cf6af4a6edc.txt", "img": "https://archive.orkl.eu/ef141033abc36d8b122400d11e978cf6af4a6edc.jpg" } }