Dark Caracal

Dark Caracal is a spyware campaign that has been conducted by an unknown group of hackers since at least 2012. The campaign was discovered by the Electronic Frontier Foundation and the mobile security firm Lookout, who published their findings on January 18, 2018. The campaign has mainly used phishing attacks (and in some cases physical access to victims systems ) in order to install malicious Android applications, including ones that imitate the look and feel of popular instant messaging applications, on victims systems to gain full control over the devices. No evidence was found that iPhone users have been targeted, and according to Google, none of the malicious applications were found on the Google Play Store. The data allegedly stolen includes documents, call records, text messages, audio recordings, secure messaging client content, browsing history, contact information, photos, location data, and other information that allows the group to identify their targets and have a look at their personal lives. The component used to monitor Android devices is known as Pallas; the component used to monitor Windows devices is a variant of the Bandook trojan.

The campaign is suspected to be state-sponsored and linked to the Lebanese government's General Directorate of General Security. According to Reuters, "the researchers found technical evidence linking servers used to control the attacks to a GDGS office in Beirut by locating wi-fi networks and internet protocol address in or near the building." The researchers have said that they are not certain "whether the evidence proves GDGS is responsible or is the work of a rogue employee." The report was denied by Major General Abbas Ibrahim.

The group continues to be active in various countries, as of early 2023.