Iranian hackers are targeting Android systems using AndroRat and DroidJack remote-access Trojans, and are getting support from local-language forums.
According to research released this morning by Recorded Future, these particular RATs provide the ability to intercept SMS messages, contacts, call logs, browser history, and user credentials on visited websites. The malware can also intercept data from phone features like the microphone or camera.
These tools are most commonly used in very focused political attacks, said Recorded Future researcher Rodrigo Bijou.
"These are very targeted attack tools," he said. "They have been used before for refugee populations, dissidents, political targets in the Syrian conflict. It's much more personal than, say, hijacking 10,000 machines for a botnet to mine cryptocurrency or banking malware from Russia from run-of-the-mill cybercriminals."
What's surprising, he said, is the high level of tech support available on local language forums.
"People talk about how you access the tools, how you obfuscate communications," he said.
The forum participants also share versions of these tools with one another, and talk about the pros and cons of the various available versions.
"It's fairly extensive support," he said.
It's not clear whether the people participating in the forums are government employees, he said.
"The individuals themselves want to remain anonymous," he said. "But they're mentioning ties to prominent technical universities that feed into the military and other such organizations."
The Android platform makes sense as a target, he added, since, according to IDC data, Android accounts for 80 percent of mobile operating systems in the Middle East.
AndroRat and DroidJack, the two tools getting the most attention on these forums, are older tools and are discussed less frequently in other geographies.
Bijou suggested that these two tools continue to remain popular on Iranian forums because they are easy to use, easy to download, and have strong Farsi-language peer support.
They are free and open source, and have been available for download from GitHub since 2012.
[ ALSO ON CSO: Iran attacked with data-wiping malware, report says ]
"Someone put it out on GitHub with the source code and everything," said Recorded Future CEO Christopher Ahlberg.
There's a variety of malware on GitHub, including some very complicated, advanced attack tools. Some is ostensibly posted for research purposes, to show the proof of concept of a vulnerability so that the vendors can close them.
But the tools also have legitimate security uses, for penetration testers and IT administrators, said Bijou.
Bijou added that having an understanding of who the attackers are can help companies defend themselves.
"It adds nuance to understanding the threat landscape," he said. "If you know that certain actors are using certain tools, and you see trends in more attacks of those kinds, you can update your operational security."
This would particularly apply to companies and other organizations that are active in the region, he said.
In addition, security managers should warn corporate executives or politicians traveling to the Middle East to practice basic phone hygiene. That means not using jailbroken phones, keeping all software up to date and patched, and only downloading applications from official app stores.