Your smartphone contains more personal information than ever before. Family photos, passwords, and even your exact location creates a digital footprint that can very valuable if it falls into to the wrong hands. Enter Dark Caracal.


Dark Caracal is a malware campaign designed to target mobile devices all over the world. The campaign has already infected thousands of users in more than 20 countries. The campaign, designed to exploit user-error and vulnerability, uses nearly identical versions of applications (such as WhatsApp and Signal) found on the Apple Apps Store and Google Play Store. After the apps are downloaded, the hackers have access to virtually everything on the mobile device.


Dark Caracal has not been successful due to a new exploit, but due to the victim. After a malicious version of the app is downloaded, the user is prompted to provide permissions to access certain items on the device. Much like Facebook and other popular apps, the user can choose to allow the application access to photos, messages, contacts, and even your location. Unless the user noticed something abnormal when downloading the fake application, they are likely to proceed through the permissions prompt, providing the hacker access to their mobile device.

Google and Apple both have security patches in place to protect against these vulnerabilities but cannot protect against user-error. Also, while Google and Apple are very diligent in screening applications before they are placed on their marketplaces, third-party application stores do not take the same steps to verify an application’s validity. For example, the Google Play Store is not available in China, which has over 300 million Android users. This means Android users in China are likely to navigate to unsecure third-party websites to download their applications.


Patching and updates are a great way to protect against these types of vulnerabilities. However, a recent study from the Federal Trade Commission showed that most mobile devices are not getting patches as frequently as they should. The problem is that most security patches are packaged with larger software updates, which users are usually hesitant to download in fear of altering their phones appearance/performance.

These mobile attacks will, “…soon surpass the amount of attacks focused on your computers”, Andrew Laich, a researcher from mobile security company Lookout states.

This being said, it is imperative that users are cognizant when downloading applications onto their mobile devices. It is highly suggested to avoid third-party marketplaces altogether, as well as double-checking permissions when first installing an app.

Moving Forward…

Plummer Slade offers Cyber Security/Safe Computing Training Sessions that highlight best practices, identifying suspicious emails, and mobile device usage. These training sessions are vital in educating users on how to avoid compromising their personal/firm’s information.

For more information on Dark Characal, or to schedule a Cyber Security/Safe Computing Training Session, please contact or 412-261-5600.