A newly discovered cyber espionage campaign has been targeting Android users in the Middle East with malware designed to steal scores of device information, snoop on victims and potentially take over mobile devices.
Known as GolfSpy, the malware is found in once-legitimate applications that have been repackaged to contain malicious code, according to a June 18 blog post from Trend Micro, whose researchers uncovered the operation.
The researchers did not find these apps in either the Google Play store or third-party marketplaces. Instead, they were observed on a host website that was promoted on social media. Repackaged apps include the Kik, Imo, Plus Messenger, Telegram, Signal and WhatsApp Business messaging apps, as well as various lifestyle, book and reference apps typically used by Middle Easterners.
So far, much of the information stolen by GolfSpy looks to be related to the military, according to the report — an observation that might possibly reveal the perpetrators’ top choice of target. More than 660 devices are known to have been infected, “but we also expect it to increase or even diversify in terms of distribution,” state blog post authors and Trend Micro researchers Ecular Xu and Grey Guo.
According to TrendMicro, GolfSpy is capable of stealing a wealth of information, including device accounts, lists of installed applications, running processes, battery status, bookmarks and histories of the default browser, call logs and records, clipboard contents, contacts (including those in VCard format), mobile operator information, files stored on an SDcard, device location, storage and memory information, connection information, sensor information, SMS messages, pictures, and lists of stored
image, audio and video files.
GolfSpy then exfiltrates this stolen information in encrypted form to a malicious C2 server, with which it communicates over HTTP as well as through a socket connection. The researchers found C2 server IP addresses in multiple European countries including Russia, France, the Netherlands and Germany.
“The extent of information that these kinds of threats can steal is… significant, as it lets attackers virtually take over a compromised device,” the blog post states.
GolfSpy also can perform additional commands used for espionage purposes, including recording audio and video; installing additional application packages and updating malware; and searching for, listing, deleting and renaming files.
The researchers also took note that the campaign bears several similarities to another mobile cyber espionage campaign called Domestic Kitten, which is commonly associated with Iranian state actors and is known to target Iranians, as well as Kurdish and Urdu natives, ISIS supporters and Yemeni citizens. Trend Micro notes that the two campaigns share the same strings of code for their decoding algorithm, both repackage apps that are popular in their target countries, and both organize their stolen data using unique identifying characters.