Lebanon’s spying agency turns smartphone Into selfie spycam: report

general security lebanonLebanon’s intelligence service may have turned the smartphones of thousands of targeted individuals into cyber-spying machines in one of the first known examples of large-scale state hacking of phones rather than computers, researchers say.

Lebanon’s General Directorate of General Security (GDGS) has run more than 10 campaigns since at least 2012 aimed mainly at Android phone users in at least 21 countries, according to a report by mobile security firm Lookout and digital rights group Electronic Frontier Foundation (EFF).

The cyber attacks, which seized control of Android smartphones, allowed the hackers to turn them into victim-monitoring devices and steal any data from them undetected, the researchers said on Thursday. No evidence was found that Apple phone users were targeted, something that may simply reflect the popularity of Android in the Middle East.

Major General Abbas Ibrahim , head of Lebanon’s Directorate of General Security (DGS) is a member of the Amal Movement which is closely associated Hezbollah
Major General Abbas Ibrahim , head of Lebanon’s Directorate of General Security (DGS) is a member of the Amal Movement which is closely associated Hezbollah. He told Reuters: “General Security does not have these type of capabilities. We wish we had these capabilities.”

The state-backed hackers, dubbed “Dark Caracal” by the report’s authors – after a wild cat native to the Middle East – used phishing attacks and other tricks to lure victims into downloading fake versions of encrypted messaging apps, giving the attackers full control over the devices of unwitting users.

 Michael Flossman, the group’s lead security researcher, told Reuters that EFF and Lookout took advantage of the Lebanon cyber spying group’s failure to secure their own command and control servers, creating an opening to connect them back to the GDGS.

“Looking at the servers, who had registered it when, in conjunction with being able to identify the stolen content of victims: That gave us a pretty good indication of how long they had been operating,” Flossman said in a phone interview.

Dark Caracal has focused their attacks on government officials, military targets, utilities, financial institutions, manufacturing companies, and defense contractors, according to the report.

 The researchers found technical evidence linking servers used to control the attacks to a GDGS office in Beirut by locating wi-fi networks and internet protocol address in or near the building. They cannot say for sure whether the evidence proves GDGS is responsible or is the work of a rogue employee.

The malware, once installed, could do things like remotely take photos with front or back camera and silently activate the phone’s microphone to record conservations, researchers said.

Responding to a question from Reuters about the claims made in the report, Major General Abbas Ibrahim, director general of GDGS, said he wanted to see the report before commenting on its contents. He added: “General Security does not have these type of capabilities. We wish we had these capabilities.”

Ibrahim was speaking ahead of the report’s publication.


The EFF/Lookout team said they uncovered spy tools and a massive trove of hundreds of gigabytes of data stolen from the phones of thousands of victims that included text messages, contacts, encrypted conversations, documents, audio and photos.

Targets were located mainly in Lebanon and the surrounding region, including Syria and Saudi Arabia, but not Iran or Israel, two frequent targets of government cyber spy attacks. Victims also lived in five European countries, Russia, the United States, China, Vietnam and South Korea, researchers said.

The researchers notified Google, the developer of the Android operating system, late in 2017. Google worked closely with the researchers to identify the apps associated with this attack, none of which were available on the Google Play Store for Android phone users, a company spokesman said.

 Google Play Protect, the internet company’s unified security system that runs on many Android smartphones, has been updated to protect users from these malicious apps and is in the process of removing them from any affected phones, the spokesman said.

The attackers borrowed code to create their own malicious software from developer sites, while relying heavily on social engineering to trick people to click on links that sent them to a site called SecureAndroid, a fake Android app store.

There, users were encouraged to download fake, but fully functioning versions of encrypted messaging apps and privacy tools including WhatsApp, Viber and Signal, that Flossman said promised victims secure software “better than the original”.

Lookout found links between the Lebanon-linked attacks and ones tied to the Kazakh government in Central Asia in 2016 in a report called “Operation Manual” by EFF and other experts. The two research groups agreed to team up and now believe the Kazakh group was a customer of the Lebanon-based hackers.


Discoveries of state-sponsored cyberespionage campaigns have become commonplace as countries in the Middle East and Asia scramble to match the digital prowess of the United States, China, Russia and other major powers.

Electronic Frontier Foundation Director of Cybersecurity Eva Galperin said the find was remarkable, explaining that she could think of only one other example where researchers were able to pin state-backed hackers to a specific building.

“We were able to take advantage of extraordinarily poor operational security,” she said.

The 49-page document lays out how spies used a network of bogus websites and malicious smartphone apps – such as WhatsApp, Telegram, Threema and Signal – to steal passwords or pry into communications, eavesdropping on conversations and capturing at least 486,000 text messages. Some victims were tricked into visiting the websites or downloading the rogue apps by booby trapped messages sent over WhatsApp, the report said.


  • Arzna

    I bet you this will be a windfall for Iphone in Lebanon, while Android will have a fire sale

  • Arzna

    I will not at all be surprised if Hezbollah is behind the campaign. They want to control the country and the people . Nothing of this nature can be done in Lebanon without Hezbollah’s knowledge

  • Niemals

    As a result of Maria Maalouf making headlines again about Hassan Nasrallah, Dhahi Khalfan (Deputy Commander of the Dubai Police), posted several surveys on his Twitter account regarding Hezbollah leader Hassan Nasralla, in an attempt to show how hated he actually is by the Arabs.

    Some questions from the surveys included;
    “Would you like to send a message to Nasrallah that he is a traitor of the nation?”
    “Is Hassan Nasrallah a hero or a criminal to you?”

    In other surveys the questions included:
    “What would you say to Nasrallah, if you were to catch him?
    1. May Allah guide you.
    2. You would imprison him for life.
    3. You would execute him because he is a murderer,”

    “You think getting rid of Nasrallah is:
    1. Most essential.
    2. Not important.
    3. I don’t know.”

    The one signed as Khalfan was startling – “I hope Nasrallah sees the polls so that he understands how hated he is in Arab society.”