Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Android Spyware Snoops on Government, Military Security Job Seekers

New Android spyware, apparently targeting government security job seekers, has been detected in Saudi Arabia. The code is poor but the malware works efficiently, claims McAfee in a report published yesterday.

New Android spyware, apparently targeting government security job seekers, has been detected in Saudi Arabia. The code is poor but the malware works efficiently, claims McAfee in a report published yesterday.

The spyware openly masquerades as a chat app called Chat Private. McAfee claims it is working in tandem with a job site that offers work for security personnel in government or military jobs. In reality the site seems much like any other job site and advertises many different job sectors, including for example, media, accounting, education, medical and so on.

McAfee is confident that the malware is associated with the job site because it “steals user contacts, SMS messages, and voice calls from infected devices and forwards them to the attacker’s server, which is in the same location as the job site.” The report provides two low-res screenshots of the website’s home page and a page titled www.ksa-sef.com/Hack%20Mobaile. The latter actually says, in Arabic, “Sorry, but the page you requested does not exist. Try using a search engine.”

There is no indication on how the app is introduced to its victims, and McAfee was unable to give SecurityWeek any further information.

The app itself could be described as efficient but uninspired. When run it simply shows the user’s network carrier and phone number, and then effectively disappears by hiding its application icon from the menu.

In background it gathers device information, contacts, browser history, SMS messages, and call logs on the infected device, and posts them to a MySQL database on the attacker’s server. It also sends a message, “New victim arrived.” It is this and other ‘unprofessional’ indicators that prompt mcAfee to suggest that the author is a ‘script kiddie’ rather than a seasoned malware developer.

Advertisement. Scroll to continue reading.

Other examples include the use of the term ‘spy’ in the package name, and use of the open-source ‘call-recorder-for-android’ that can be found on GitHub.

McAfee is concerned about the implications of this malware. “The motives behind the spyware author are not clear, but considering the jobs that were being advertised on the site, the implications should not be underestimated. The leaked information poses a serious security threat. We have reported this spyware campaign to the Computer Emergency Response Team in Saudi Arabia for additional investigation.”

However, when SecurityWeek checked the job site we could find no reference to the Chat Private app. Unless distribution of the app is specifically targeted at government and military applicants, it seems to do little more than steal users’ private information and send it to a recruitment firm.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.