New Phishing Attack Targets Android and iPhone Users

Like any phishing attack, Darcula pretends to be a recognized entity to collect information from users. However, its attack method is quite complex. While most previous attacks spread via SMS, Darcula uses the RCS communication standard.

It’s an attack vector that’s not seen very often and has been difficult for Google and Apple to address. That’s because both Google Messages and iMessage offer end-to-end encryption for messages, which means the companies can’t block a threat based on the text content of the message.

Darcula was first discovered last summer by security researcher Oshri Kalfon. However, the Netcraft organization reports that this phishing attack threat has become more widespread recently and has been used in high-profile cases.

The methods used by Darcula are more sophisticated than usual as it uses modern technologies such as JavaScript, React, Docker, and Harbor. They have a library of over 200 website templates that impersonate brands or organizations in over 100 countries. These impersonation website templates are of high quality and look very similar to official websites.

Darcula's modus operandi involves sending a link to the victim with incomplete message content and asking the recipient to visit their site for more complete details. Due to the high fidelity of the impersonating sites, less experienced users can provide them with data, which is then used for unknown purposes.

Netcraft claims to have detected 20,000 Darcula domains being transferred to over 11,000 IP addresses. The report also says 120 new domains are added every day, making identification even more difficult.

Given what is happening, users are advised to be more cautious when entering their personal data to sources provided via messages, direct calls and unknown senders.