New Android spyware, apparently targeting government security job seekers, has been detected in Saudi Arabia. The code is poor but the malware works efficiently, claims McAfee in a report published yesterday.
The spyware openly masquerades as a chat app called Chat Private. McAfee claims it is working in tandem with a job site that offers work for security personnel in government or military jobs. In reality the site seems much like any other job site and advertises many different job sectors, including for example, media, accounting, education, medical and so on.
McAfee is confident that the malware is associated with the job site because it “steals user contacts, SMS messages, and voice calls from infected devices and forwards them to the attacker’s server, which is in the same location as the job site.” The report provides two low-res screenshots of the website’s home page and a page titled www.ksa-sef.com/Hack%20Mobaile. The latter actually says, in Arabic, “Sorry, but the page you requested does not exist. Try using a search engine.”
There is no indication on how the app is introduced to its victims, and McAfee was unable to give SecurityWeek any further information.
The app itself could be described as efficient but uninspired. When run it simply shows the user’s network carrier and phone number, and then effectively disappears by hiding its application icon from the menu.
In background it gathers device information, contacts, browser history, SMS messages, and call logs on the infected device, and posts them to a MySQL database on the attacker’s server. It also sends a message, “New victim arrived.” It is this and other ‘unprofessional’ indicators that prompt mcAfee to suggest that the author is a ‘script kiddie’ rather than a seasoned malware developer.
Other examples include the use of the term ‘spy’ in the package name, and use of the open-source ‘call-recorder-for-android’ that can be found on GitHub.
McAfee is concerned about the implications of this malware. “The motives behind the spyware author are not clear, but considering the jobs that were being advertised on the site, the implications should not be underestimated. The leaked information poses a serious security threat. We have reported this spyware campaign to the Computer Emergency Response Team in Saudi Arabia for additional investigation.”
However, when SecurityWeek checked the job site we could find no reference to the Chat Private app. Unless distribution of the app is specifically targeted at government and military applicants, it seems to do little more than steal users’ private information and send it to a recruitment firm.