On September 26, 2016, it was reported that a Libyan cyber espionage group was targeting the Android smartphones of high-profile Libyans with a remote-access Trojan (RAT) malware known as AlienSpy. The infections started at the beginning of August 2016, when the group, dubbed “Libyan Scorpions” by the Kuwait-based security firm Cyberkov, managed to compromise the Telegram account of a high-profile Libyan figure. According to Cyberkov, the targeted individual received a notification from Telegram alerting him to a login from a Spanish IP address. The attacker was able to start conversations with the victim’s friends on the service, successfully phishing them with a download link to install an Android app under the pretense that it would help them decode an important voice message. Cyberkov says that the app was a legitimate Android application downloaded from the Google Play Store that was repackaged with the AlienSpy RAT.
The researchers who analyzed the app discovered that its command and control (C&C) server led them to a local Libyan IP address belonging to a Libyan Telecom. Because the same IP was also used to host a dynamic DNS service, the perpetrators were likely using the same infrastructure for a host of malicious operations and not just stolen data.
Source: news.softpedia.com, September 26, 2016