Hackers with likely ties to Egypt’s government used Google’s official Play Store to distribute spyware in a campaign that targeted journalists, lawyers, and opposition politicians in that country, researchers from Check Point Technologies have found.
The app, called IndexY, posed as a means for looking up details about phone numbers. It claimed to tap into a database of more than 160 million Arabic numbers. One of the permissions it required was access to a user’s call history and contacts. Despite the sensitivity of that data, those permissions were understandable, given the the app’s focus on phone numbers. It had about 5,000 installations before Google removed it from Play in August. Check Point doesn’t know when IndexY first became available in Play.
Behind the scenes, IndexY logged whether each call was incoming, outgoing, or missed as well as its date and duration. Publicly accessible files left on indexy[.]org, a domain hardcoded into the app, showed not only that the data was collected but that the developers actively analyzed and inspected that information. Analysis included the number of users per country, call-log details, and lists of calls made from one country to another.