The Electronic Frontier Foundation and cybersecurity company Lookout Inc. have uncovered a global spyware campaign that has stolen hundreds of gigabytes of data, primarily from mobile Android devices.

The campaign, which the two groups have named “Dark Caracal,” accidentally outed itself by storing the stolen data on an unsecured server accessible via the internet.

According to EFF and Lookout, Dark Caracal uses “trojanized” spyware, which poses as legitimate apps such as WhatsApp and Signal. The fake apps function just like the real thing, but they also capture messages, photos, audio and other data. According to EFF Director of Cybersecurity Eva Galperin, Dark Caracal affected people in countries around the world, including the U.S., Canada, Germany and others.

“Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos,” Galperin said in a statement Thursday. “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”

EFF Staff Technologist Cooper Quintin added that the attack doesn’t even require a sophisticated or expensive exploit. “Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” he said. “This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world.”

Lookout released a full report of its findings on Dark Caracal, which the firm said has been active since at least 2012. According to the report, Lookout’s researchers traced the malware back to a building belonging to Lebanon’s General Directorate of General Security, one of the country’s intelligence agencies. Based on this information, Lookout said that “it is likely that the GDGS is associated with or directly supporting the actors behind Dark Caracal.”

This is the second time this week that security researchers have discovered powerful spyware on Android. On Tuesday, antivirus provider Kaspersky Lab announced the discovery of “Skygofree,” a malware program that the company called “one of the most powerful spyware tools that we have ever seen for this platform.”

EFF said Dark Caracal may be only one of several cyberattack campaigns that operate through the same infrastructure. The organization also conceded that it has previously “misidentified” activity that had actually come from Dark Caracal. EFF offered some advice today on what users should do about the situation, such as keeping an eye out for links, attachments, and apps that pretend to be something they’re not.

Photo: Dark Caracal Technical Report/Lookout