Taking Action Against Hackers in Palestine

By Mike Dvilyanski, Head of Cyber Espionage Investigations, and David Agranovich, Director, Threat Disruption

Today, we’re sharing actions we took against two separate groups of hackers in Palestine — a network linked to the Preventive Security Service (PSS) and a threat actor known as Arid Viper — removing their ability to use their infrastructure to abuse our platform, distribute malware and hack people’s accounts across the internet. To the best of our knowledge, this is the first public reporting of this PSS activity.

Facebook threat intelligence analysts and security experts work to find and stop a wide range of threats including cyber espionage campaigns, influence operations and hacking of our platform by nation-state actors and other groups. As part of these efforts, our teams routinely disrupt adversary operations by disabling them, notifying people if they should take steps to protect their accounts, sharing our findings publicly and continuing to improve the security of our products.

Today we’re sharing our latest research into two clusters of unconnected cyber espionage activity. One of them targeted primarily domestic audiences in Palestine. The other cluster targeted audiences in the Palestinian territories and Syria and to a lesser extent Turkey, Iraq, Lebanon and Libya.

To disrupt both these operations, we took down their accounts, released malware hashes, blocked domains associated with their activity and alerted people who we believe were targeted by these groups to help them secure their accounts. We shared information with our industry partners including the anti-virus community so they too can detect and stop this activity, strengthening our collective response against these groups across the internet. We encourage people to remain vigilant and take steps to protect their accounts, avoid clicking on suspicious links and downloading software from untrusted sources that can compromise their devices and information stored on them.

The groups behind these operations are persistent adversaries, and we know they will evolve their tactics in response to our enforcement. However, we keep improving our detection systems and collaborating with other teams in the security community to continue making it harder for these threat actors to remain undetected. We’ll keep sharing our findings when possible so people are aware of the threats we’re seeing and can take steps to strengthen the security of their accounts.

Here’s What We Found

PSS-Linked Group

This activity originated in the West Bank and focused on the Palestinian territories and Syria, and to a lesser extent Turkey, Iraq, Lebanon and Libya. It relied on social engineering to trick people into clicking on malicious links and installing malware on their devices. Our investigation found links to the Preventive Security Service — the Palestinian Authority’s internal intelligence organization.

This persistent threat actor focused on a wide range of targets, including journalists, people opposing the Fatah-led government, human rights activists and military groups including the Syrian opposition and Iraqi military. They used their own low-sophistication malware disguised as secure chat applications, in addition to malware tools openly available on the internet.

Our investigation analyzed a number of notable tactics, techniques and procedures (TTPs):

  • Android malware: This group’s custom-built Android malware had relatively simple functionality and required a limited set of device-level permissions, which likely helped it to stay under the radar for most anti-virus detection systems. This malware masqueraded as secure chat applications. Once installed, it collected information such as device metadata (e.g. manufacturer, OS version, IMEI), call logs, location, contacts and text messages. In rare cases, it also contained keylogger functionality — an ability to record every keystroke made on a device. Once collected, the malware would upload the data to Firebase, a mobile app development platform. In addition to their custom-made malware, this group also utilized publicly available Android malware called SpyNote which had more functionality including remote device access and the ability to monitor calls.
  • Windows malware: This group occasionally deployed publicly available malware for Windows, including NJRat and HWorm, commonly used in the region. They also bundled Windows malware in the installer package for their own decoy application for journalists to submit human rights-related articles for publication. This app had no legitimate functionality.
  • Social engineering: This group used fake and compromised accounts to create fictitious personas posing primarily as young women, and also as supporters of Hamas, Fatah, various military groups, journalists and activists to build trust with people they targeted and trick them into installing malicious software. Some of their Pages were designed to lure particular followers for later social engineering and malware targeting. Likely to build audiences, these Pages posted memes criticizing Russian foreign policy in the Middle East, Russian military contractor Wagner Group and its involvement in Syria and Libya and the Assad government.

Threat Indicators:

Android C2 Domains


Android Hashes


SpyNote C2


Windows Malware C2 Domains


Windows Malware Hashes


Links to Android Malware


Arid Viper

This activity originated in Palestine and targeted individuals in the same region, including government officials, members of the Fatah political party, student groups and security forces. Our investigation linked this campaign to Arid Viper, a known advanced persistent threat actor. It used sprawling infrastructure to support its operations, including over a hundred websites that either hosted iOS and Android malware, attempted to steal credentials through phishing or acted as command and control servers.

They appear to operate across multiple internet services, using a combination of social engineering, phishing websites and continually evolving Windows and Android malware in targeted cyber espionage campaigns.

We shared threat indicators with industry peers and security researchers as part of a concerted effort to disrupt this group’s operations. We’re also sharing a detailed technical report with our findings, including threat indicators to help advance our industry’s understanding of this adversary (below).

Here are our key findings and some of the notable tactics, techniques and procedures (TTPs) we’ve observed:

Custom iOS Surveillanceware:

  • Arid Viper used custom-built iOS surveillanceware which hasn’t been previously reported and reflects a tactical shift. We call this iOS component Phenakite due to it being rare and deriving its name from the Greek word Phenakos, meaning to deceive or cheat.
  • Installation of Phenakite required that people be tricked into installing a mobile configuration profile. This allowed for a device-specific signed version of the iOS app to be installed on a device. A jailbroken device wasn’t required.
  • Post-installation, a jailbreak was necessary for the malware to elevate its privileges to retrieve sensitive user information not accessible via standard iOS permission requests. This was achieved with the publicly available Osiris jailbreak that made use of the Sock Port exploit, both of which were bundled in the malicious iOS app store packages (IPAs).
  • Arid Viper’s iOS surveillanceware was trojanized inside a fully functional chat application that used the open-source RealtimeChat code for legitimate app functionality. This malware could also direct people to phishing pages for Facebook and iCloud to steal their credentials for those services.
  • Arid Viper’s use of custom iOS surveillanceware shows that this capability is becoming increasingly attainable by adversaries believed to be of lower sophistication.

Evolving Android and Windows Malware

  • The Android tooling used by Arid Viper shares many similarities with malware previously reported as FrozenCell and VAMP.
  • The Android malware deployed by Arid Viper required people to install apps from third-party sources on their devices. The group used various convincing, attacker-controlled sites to create the impression that the apps were legitimate.
  • Arid Viper’s recent operations also used variants of a malware family known as Micropsia, which previously has been associated with this threat actor.

Malware Distribution

  • Delivery of both the Android and iOS malware involved social engineering.
  • Android malware was typically hosted on convincing looking attacker-controlled phishing sites. At the time of this writing, we discovered 41 such sites.
  • iOS malware was previously found to be distributed from a 3rd party Chinese app development site. After we shared our findings with industry partners which led to the revocation of multiple developer certificates, Arid Viper’s ability to distribute Phenakite was disrupted. We’ve since seen them try setting up their own infrastructure to distribute their iOS implant.
  • While Arid Viper tooling has previously been discovered in official app channels like the Play Store, we didn’t find it to be the case in this most recent campaign.

Cyber espionage timeline graphic

Compromise Flow:

Arid Viper CharArid Viper Chart

See the full Threat Report on Arid Viper for more information and IOCs.

To help personalize content, tailor and measure ads, and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookie Policy