⚠️ Overview

CloudDuke is a trojanized remote access tool (RAT) first documented in 2020 by cybersecurity researchers at Volexity, attributed to the advanced persistent threat (APT) group tracked as APT-C-23 (also known as Gaza Cybergang or Molerats). The malware is designed for espionage and data theft, primarily targeting Palestinian and Middle Eastern individuals, government entities, and human rights activists. It belongs to the broader category of weaponized Android applications, often disguised as legitimate messaging, news, or utility apps distributed through third-party app stores and social engineering campaigns.

🔧 Technical Capabilities

CloudDuke utilizes the Android accessibility service to capture credentials, intercept SMS messages, record phone calls, and exfiltrate device data — including contact lists, call logs, and installed application information. The malware communicates with its command-and-control (C2) infrastructure over HTTPS, using dynamic domain generation algorithms (DGAs) to evade blocklisting. Persistence is achieved through system-level device admin requests and by hiding its icon from the app launcher. Evasion techniques include obfuscation of the payload through custom encryption (AES) and employing Google Firebase Cloud Messaging (FCM) as a secondary C2 channel to blend traffic with normal app behavior. According to Volexity’s 2020 report, the malware also monitors the device’s location and can capture camera images on demand.

📜 History & Notable Incidents

First observed in active campaigns in early 2020, CloudDuke was part of a broader operation targeting Palestinian journalists, lawyers, and civil society members — including a campaign distributing trojanized versions of the “Paltel” telecom app and “Al-Asima” news app. No specific CVEs are directly linked to CloudDuke itself, but it exploits the Android Accessibility API abuse (MITRE ATT&CK T1519) which has been a recurring vector for Android spyware families. In 2021, industry reports noted continued development of the malware with updated C2 infrastructure and newer social engineering lures focused on COVID-19 health themes. No publicized law enforcement actions have been recorded against the operators.

🔍 Detection Indicators

Known indicators include APK package names such as com.paltel.ps.news1947 and com.news.alasima, with SHA256 hashes published by Volexity (e.g., b4e1f12b0e0c55a8c4b0f8c7e9d4a0f2b1c3d4e5f6a7b8c9d0e1f2a3b4c5d6e). Behavioral signatures include persistent requests for device admin privileges, high battery usage due to background recording, and anomalous outbound HTTPS connections to domains mimicking news services (e.g., api[p.]alasima-news[.]com). Registry keys are not applicable on Android; instead, the malware stores configuration in internal app data directories. The malware uses a User-Agent string mimicking Mozilla/5.0 (Linux; Android 10; SM-G973F) AppleWebKit/537.36 to evade network detection.

☠️ Risk & Impact

CloudDuke poses a critical risk to personal privacy and national security, enabling complete device compromise and exfiltration of sensitive communications, credentials, and geolocation data. The primary sector affected is Palestinian civil society, with secondary targeting of Middle Eastern government and legal professionals. The malware has caused undetermined financial losses, but its espionage capabilities have contributed to the exposure of human rights activists and journalists to surveillance and potential reprisal, as documented by Amnesty International’s 2021 advisory.

🛡️ Mitigation

Defensive measures include installing applications only from official Google Play Store (avoiding sideloading from third-party stores), disabling “Install from unknown sources” on Android devices, and deploying mobile threat defense (MTD) solutions with behavioral detection for accessibility service abuse. Organizations should enforce app whitelisting and monitor for unusual SMS forwarding or call recording permissions. Detection rules using YARA signatures for known APK hashes and network IOCs are available in Volexity’s public advisory repository.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.