The Electronics Frontier Foundation (EFF), working with mobile security firm Lookout, has discovered a mobile malware program that has stolen gigabytes of data from users, and appears to have originated from a government building in Lebanon.

The security bug has infected thousands of smartphones, with targets including military personnel, journalists, lawyers and activists. It was hidden in fake messaging software designed to look like WhatsApp, Signal and other popular OTT messaging apps.

The threat, called Dark Caracal by the researchers, appears to have been created by a nation state, and use shared infrastructure that other nation-state hackers have employed before. Mainly targeted at Android phones, it exploits known security flaws to access data from those affected.

“Based on the available evidence, it is likely that the GDGS (the Lebanese General Security Directorate) is associated with or directly supporting the actors behind Dark Caracal,” said the report on the malware.

“This is a very large, global campaign, focused on mobile devices,” said Eva Galperin, director of cybersecurity at EFF. “Mobile is the future of spying, because phones are full of so much data about a persons day-to-day life. People in the US, Canada, Germany, Lebanon nad France have been hit by Dark Caracal…the types of stolen data range from call records and audio recordings to documents and photos.”

The researchers believe Dark Caracal has been in operation since 2012, but it has proved hard to track due to unrelated espionage campaigns originating from similar domains. However, Google has stated that it is confident that the infected apps were not downloaded from its Play Store, and Google Play Protect is being used to remove the apps in question from all affected devices.