Hackers pushing nation-state-style surveillance malware recently scored a major coup by getting three advanced malicious applications hosted in Google's official Play marketplace, researchers said. Google removed the apps after receiving notification of their presence.

The mAPTs, short for mobile advanced persistent threats, likely came from two separate groups that both target people in the Middle East, Michael Flossman, head of threat intelligence at mobile security company Lookout, told Ars. The three apps combined received about 650 to 1,250 downloads, according to Google Play figures. All three of them gave attackers considerable control over infected phones.

The apps—two from a family known as ViperRat and the third from the Desert Scorpion family—represent one of the few known times mAPTs have been found in the official Google market. The attackers' success is largely the result of a modular design where malicious functionality isn’t part of the initial version first downloaded from the Play Store. Rather, the surveillance capabilities come in a second stage that's downloaded later. Previously, both hacker groups relied largely on social engineering that tricked targets into downloading apps from third-party markets. The ability to get the apps hosted in Play is considered a win because it gives targets much more assurance that the apps are legitimate.

"The existence of ViperRAT and Desert Scorpion on Google Play showcases that actors are continuing to 'tune' their malware to get past early stage detections and make it into first-party app stores," Flossman wrote in an email. "These techniques include not shipping the malicious functionality of an app until a second stage that is triggered by some behavior. Surveillanceware is able to hide its malicious functionality in the noise of social networking and chat apps because they request many of the same permissions."

For all your surveillance needs

Desert Scorpion was delivered in an app titled Dardesh, which was downloaded about 100 times. It offers a full set of surveillance capabilities including the ability to:

Upload attacker-specified files to command and control servers

Record surrounding audio, calls, and video

Retrieve account information such as email addresses

Retrieve contacts

Remove copies of itself if any additional APKs are downloaded to external storage

Call an attacker-specified number

Uninstall apps

Hide its icon

Retrieve a list of files on external storage

Encrypt some exfiltrated data

Obtain a list of installed applications

Get device metadata

Inspect itself to get a list of launchable activities

Retrieve PDF, txt, doc, xls, xlsx, ppt, and pptx files found in external storage

Send SMS messages

Retrieve text messages

Track device location

Handle limited attacker commands via out-of-band text messages

Check if a device is rooted

Attempt to add itself to the protected list of apps able to run with the screen off if running on a Huawei device

Desert Scorpion has ties to another targeted surveillance-ware family, dubbed Frozen Cell. Lookout researchers believe both families are developed, or at least operated, by a single group known as APT-C-23. Desert Scorpion is being used to target individuals in the Middle East, particularly those in the Palestine region.

Lookout observed Dardesh receiving two updates, the first on February 26 and the second on March 28. The second stage of Dardesh came in the form of a generic settings application. It included the word "Fateh," in what lookout believes is a reference to the Fatah Palestinian political party. Lookout's blog post about Desert Scorpion is here.

The ViperRat malware was delivered through VokaChat and Chattak, which received from 500 to 1,000 downloads and 50 to 100 downloads, respectively. An earlier ViperRat campaign targeted members of the Israeli Defense Force with apps posted in third-party markets. Attackers posing as attractive women would befriend individual targets and eventually try to trick them into downloading Trojanized chat apps. Unlike the chat apps from earlier ViperRat campaigns, VokaChat and Chattak contained fully functional chat capabilities, a feature that made it less likely that targets would suspect they had installed malware.

Chattak contained either a feature or a bug—Lookout isn't sure which it is—that disclosed email addresses and other details of some users with other users. Many of the email addresses suggested targets had ties to Saudi Arabia, but Lookout isn't sure if those addresses came from people who actually installed the malware.

The trio of apps signals a growing threat to Android users because of the trust many people place in the Google Play market.

"A malicious app that can be downloaded from the Google Play store is extremely dangerous, as users will not think twice about downloading it because of their trust in Google," Flossman wrote in a Monday morning blog post detailing ViperRat. "This is alarming to us, because as attackers continually find new ways to add legitimacy to their malicious apps, their phishing attacks will become more successful."