What is Tempting Cedar? Hackers using fake Facebook profiles to spread Android spyware
Security experts believe that the hackers behind the Tempting Cedar spyware may be Lebanese.
A new campaign involving suspected Lebanese hackers has been uncovered, which involves cybercriminals creating fake Facebook profiles and using social engineering to lure potential victims into downloading an Android spyware.
According to security researchers at Avast, who uncovered the new attacks, the hackers spread the spyware, dubbed Tempting Cedar, via fake Facebook profiles that engaged with potential victims. The targets were persuaded by the hackers operating the fake profiles to download the spyware, which was disguised as the Kik Messenger app.
The spyware steals victims' photos, contacts, call logs and can also spy on conversations when the infected device is within range. The Tempting Cedar spyware can also harvest a victim's geolocation via the infected device to track their location, as well as record surrounding sounds.
"The campaign was highly targeted and ran deep under the radar. It is always difficult to attribute persistent threat campaigns, like this one, to cybercriminals. However, pieces of information point to the cybercriminals behind this campaign being Lebanese," Avast researchers wrote in a blog.
The hackers were also observed working only during workdays and occasionally on Saturdays but never on Sundays. According to the researchers, the cybercriminals' working hours correspond to Eastern European and Middle Eastern time zones.
The campaign affected a low number of victims in the US, France, Germany and China. However, the majority of victims affected by the attacks were found to be from the Middle East, most of them located in Israel.
"The targeted Tempting Cedar campaign has been running under the radar since as far back as 2015, targeting people in Middle Eastern countries. The spyware's infection vector involves social engineering using attractive, but fictitious Facebook profiles. Despite unsophisticated techniques and the level of operational security being used, the attack managed to remain undetected for several years," the Avast researchers said.
To stay safe from such attacks, researchers recommended that social media users always use antivirus software and not download files from unknown or untrusted sources.