The STFD-686 app operated with disarming simplicity. It offered the promise of financial aid, requiring only that the victim fill out a few personal details. It asked innocent questions: “What kind of assistance are you expecting?” and “Tell us more about your financial situation.”
The expected answer was clear: financial help. In return, users would supposedly receive monthly cash transfers of around 400,000 Syrian pounds — roughly $40 at the time — sent anonymously via local money transfer companies. Sending small sums across Syria, whether under real or fictitious names, required nothing more than a phone number, and the black market was teeming with intermediaries ready to facilitate such transfers.
On the surface, the app appeared to offer a special service for officers. Its first disguise was a humanitarian one: claiming to support the “heroes of the Syrian Arab Army” through a new initiative, while showcasing photos of real activities from the official Syria Trust for Development website.
The second mask was emotional, employing reverent language that praised the soldiers’ sacrifices: “They give their lives so that Syria may live with pride and dignity.” The third was nationalistic, and framed the app as a “patriotic initiative” designed to bolster loyalty, and this mask proved the most persuasive.
The fourth mask was visual: The app’s name, both in English and Arabic, mirrored the official organization exactly. Even the logo was an identical replica of Syria Trust’s emblem.
Once downloaded, the app opened a simple web interface embedded within the application, which redirected users to external websites that didn’t display in the app bar. The sites, syr1.store and syr1.online, mimicked the official domain of Syria Trust (syriatrust.sy). The use of “syr1,” an abbreviation of Syria, in the domain name seemed plausible enough, and few users paid much mind. In this case, no special attention was given to the URL; it was simply assumed to be trustworthy.
To access the questionnaire, users were asked to submit a series of seemingly innocent details: full name, wife’s name, number of children, place and date of birth. But the questions quickly escalated into riskier territory: the user’s phone number, military rank and exact service location down to the corps, division, brigade and battalion.
Determining officers’ ranks made it possible for the app’s operators to identify those in sensitive positions, such as battalion commanders and communications officers, while knowing their exact place of service allowed for the construction of live maps of force deployments. It gave the operators behind the app and the website the ability to chart both strongholds and gaps in the Syrian army’s defensive lines. The most crucial point was the combination of the two pieces of information: Disclosing that “officer X” was stationed at “location Y” was tantamount to handing the enemy the army’s entire operating manual, especially on fluid fronts like those in Idlib and Sweida.
According to an analysis by a Syrian software engineer, what the officers dismissed as a tedious questionnaire was, in reality, a data entry form for military algorithms, turning their phones into live printers that generated highly accurate battlefield maps. “The majority of officers often ignored security protocols,” the engineer said. “I doubt any of them realized that behind these innocent-looking forms, traps were laid for them with the innocence of a wolf.” He added that while the mechanism of espionage was technically old, it remained devastatingly effective, especially given the widespread ignorance of cyberwarfare within the Syrian army.
At the bottom of the application’s web page, another trap lay in wait: an embedded Facebook contact link. This time, the user’s social media credentials were siphoned directly to a remote server, quietly stealing access to personal accounts. If the victim somehow escaped the first snare, there was a good chance they would fall into the second.
After harvesting basic information through embedded phishing links, the attack moved to its second stage: deploying SpyMax, one of the most popular Android surveillance tools. SpyMax is an advanced version of SpyNote, notorious on the black market, and typically distributed through malicious APK files (files designed to install mobile apps on Android phones), disguised on fake download portals that appear legitimate. Crucially, SpyMax does not require root access (the highest level of access to the phone’s operating system) to function, making it dangerously easy for attackers to compromise devices. While original versions of the software sell for around $500, hacked versions are also freely available. In this case, the spyware was planted via the same Telegram channel that distributed the fake Syria Trust app and installed on officers’ phones under the guise of a legitimate application.
SpyMax has all the functions of RAT (Remote Access Trojan) software, including keylogging to steal passwords and intercept text messages; data extraction of confidential files, photos and call logs; and access to the camera and microphone, allowing real-time surveillance of victims.
Once connected, the victim can appear on an attacker’s dashboard, the live feed displaying everything from call logs to file transfers, depending on the functions selected.
The spyware targeted Android versions as old as Lollipop — an operating system launched in 2015 — meaning a broad range of both older and newer devices were vulnerable. An examination of the permissions granted to the app showed it had access to 15 sensitive functions, the most critical among them including tracking live locations and monitoring soldiers’ movements and military positions, eavesdropping on calls, recording conversations between commanders to uncover operational plans in advance, extracting documents like maps and sensitive files from officers’ phones and camera access allowing the person who launched the spyware to, potentially, remotely broadcast footage of military facilities.
read more:
https://newlinesmag.com/reportage/how-a-spyware-app-compromised-assads-army/