Fake WhatsApp emails, texts and voicemails spread malware to mobiles

22965462_sThis past week, a very sophisticated malware has broken into the scene targeting key military, government and business leaders. The malware, coined ‘Inception‘ by Blue Coat Systems, spans multiple mobile operating systems including Android, Microsoft, BlackBerry and Apple’s IOS. The majority of the targets that the malware infected are from Russia, Romania, Kazakhstan, India, Belarus and the Czech Republic. There have been reports from targets from others countries, but not as severe.

On Android phones, the malware is downloaded and installed by the user in an App called ‘WhatsAppUpdate.apk’. The malware uses a Swedish cloud service called ‘CloudMe’, where the malware tracks and then uploads the recorded phone calls to a CloudMe storage account. From there, the attacker is able to download the recorded phone calls which are saved in a .MP4 format. The malware also lets the attacker gain access to the mobile device if desired by leaving a backdoor open on the operating system.

Inception is not just playing phone pranks either

It has been reported that Inception can also deliver an array of goodies to the attackers, including: location, contacts, account data, microphone recordings, ingoing and outgoing call logs, web browser bookmarks, SMS, Apple ID, phone numbers, IP address and Mac address.

31565941_sThe attacker can control the phone through an encrypted command and control protocol. In one example, a user who was targeted worked in Paraguay on United Nations matters. The user received phishing emails in Spanish that contained a link to download the ‘WhatsApp updates’ with the four different mobile operating system platforms to choose from.

More than 60 mobile service providers such as T-Mobile, Vodafone and China Mobile, were used to transport spam text messages unbeknownst to them. Users unaware of the malware may potentially give the attacker control over their mobile device if they chose to install the WhatsApp link in the text message.

Only jailbroken iOS systems at risk

So where are these attacks coming from? Kaspersky Labs confirmed the malware campaign and named it “Cloud Atlas”. Kaspersky speculates that the malware may have originated from China, based on the content and nature of similar malware in the past. It appears that the Inception/Cloud Atlas malware has a lot of similarities with a malware campaign called “Red October” in 2012, although Inception/Cloud Atlas is more sophisticated and deceiving.

But who really knows? The only solid clue that we have right now is that the malware has and continues to target government and organizational leaders around the world. Android, Microsoft and BlackBerry have already fallen hard to Inception. Apple can only be infected if the device is jail-broken; Apple has a good track record of removing exploits from newly released iOS versions in a short time manner, which makes the window for malware infection smaller.

How to protect your device – and your identity

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial
  1. For any mobile platform device, only download from the approved App store (Google Play, Apple’s App Store, etc.).
  2. Do not side-load any applications! This means not to download applications off of the internet and run them in a ‘Super User’, ‘Root’ or administrator manner. By doing so, you are inviting infected malware disguised as legitimate applications to be executed on the mobile device.
  3. Absolutely avoid all phishing SMS messages. If you are unfamiliar with the sender, then do not click on the link.
  4. Protect your Android phone with a next-gen security solution, such as Emsisoft Mobile Security.

Arief Prabowo

What to read next