AndoServer malware has its C2 domain or IP address hard coded into the source code. Each sample also has its own unique identifier string at the start of its communication with C2 servers, that appears to be for the actor to monitor which application in their arsenal is responsible for the compromise, as they can see the unique application installed by the specific victim. While not always the case, some unique identifiers are similar to the name of the C2 domain, while other times they refer to the title of the application, highlighting another level of customization of this malware.

Prevalence of Commercial Surveillanceware

Of the malicious applications in this campaign, 64 of 71 are SpyNote samples, a well known commercial surveillanceware family. The remainder belong to the SandroRat, AndoServer, and SLRat families, of which the latter two have not yet been publicly reported on.

SLRat appears to have gained popularity since its developer first publicized it in May 2016, advertising it as “the Best and Free android remote admin tool”, while AndoServer has not yet been seen for sale or mentioned on public forums. Based on samples ingested to date however, Lookout researchers believe it is also a customizable Android malware that may be for sale, or only known about and used by a smaller group of operators.

Given Syria’s history of censorship and past mobile and desktop surveillance campaigns, it should come as no surprise that another campaign is active. SilverHawk actors initially entered the mobile malware space using the commercial Android surveillanceware AndroRat, before customizing it and then developing their own mobile tooling. It is in line with known TTPs that a new commercial or public spy tool might have been adopted and used by this actor as part of new surveillance efforts, and there are likely more to be discovered.