Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cyberespionage Campaign Targets Android Users in Middle East

A recently uncovered cyberespionage campaign is targeting the users of Android devices in Middle Eastern countries, Trend Micro’s security researchers reveal.

A recently uncovered cyberespionage campaign is targeting the users of Android devices in Middle Eastern countries, Trend Micro’s security researchers reveal.

Dubbed “Bouncing Golf,” the campaign uses a piece of malware detected as GolfSpy, which packs a wide range of cyberespionage capabilities. The malicious code is hidden inside repackaged legitimate applications that are being distributed through hosting websites promoted on social media.

To date, the campaign appears to have infected over 660 Android devices, mainly seeking to steal military-related information from them.

The operation might be related to the previously observed Domestic Kitten cyberespionage campaign, given the similarly structured strings of code and the similar format of the data targeted for theft. Once installed on an Android device, the GolfSpy malware can effectively hijack it, Trend Micro reveals.

The threat can steal information such as device accounts, list of installed applications, current running processes, battery status, bookmarks/history of the device’s default browser, call logs and records, clipboard content, contacts, mobile operator information, files on SD card, device location, list of image/audio/video files on the device, storage/memory/connection/sensor information, and SMS messages.

The malware can also connect to a remote server to fetch and perform commands for searching for/listing/deleting/renaming files, downloading/uploading files to/from the device, taking screenshots, installing application packages (APK), recording audio and video, and updating the malware.

The repackaged applications pose as communication, news, lifestyle, book, and reference apps that are commonly used in the Middle East. Once executed on the compromised smartphone, GolfSpy generates a unique ID and then collects targeted data and writes it to a file on the device.

The malware operators can choose the data types to collect, Trend Micro’s security researchers have discovered. All stolen data is encrypted using a simple XOR operation with a pre-configured key before it is sent to the command and control (C&C) server via HTTP POST requests.

Advertisement. Scroll to continue reading.

The malware was also observed creating a socket connection to the remote C&C server to receive and perform additional commands. The socket connection is also used to send the encrypted data to the C&C server (a different encryption key is used than when sending over HTTP).

While just over 660 devices have been infected to date, the number is expected to increase and the campaign to diversify in terms of distribution, Trend Micro says.

The campaign’s operators attempted to cover their tracks by masking the registrant contact details of the C&C domains, for instance. Additionally, they used disparate C&C server IP addresses, which were located in many European countries, including Russia, France, the Netherlands, and Germany.

“As we’ve seen in last year’s mobile threat landscape, we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity, employing tried-and-tested techniques to lure unwitting users. The extent of information that these kinds of threats can steal is also significant, as it lets attackers virtually take over a compromised device,” Trend Micro concludes.

Related: Chinese Cyber-Spies Target Government Organizations in Middle East

Related: State-Sponsored Hackers Use Sophisticated DNS Hijacking in Ongoing Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.