CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Cyberespionage Campaign Targets Android Users in Middle East

A recently uncovered cyberespionage campaign is targeting the users of Android devices in Middle Eastern countries, Trend Micro’s security researchers reveal.

A recently uncovered cyberespionage campaign is targeting the users of Android devices in Middle Eastern countries, Trend Micro’s security researchers reveal.

Dubbed “Bouncing Golf,” the campaign uses a piece of malware detected as GolfSpy, which packs a wide range of cyberespionage capabilities. The malicious code is hidden inside repackaged legitimate applications that are being distributed through hosting websites promoted on social media.

To date, the campaign appears to have infected over 660 Android devices, mainly seeking to steal military-related information from them.

The operation might be related to the previously observed Domestic Kitten cyberespionage campaign, given the similarly structured strings of code and the similar format of the data targeted for theft. Once installed on an Android device, the GolfSpy malware can effectively hijack it, Trend Micro reveals.

The threat can steal information such as device accounts, list of installed applications, current running processes, battery status, bookmarks/history of the device’s default browser, call logs and records, clipboard content, contacts, mobile operator information, files on SD card, device location, list of image/audio/video files on the device, storage/memory/connection/sensor information, and SMS messages.

The malware can also connect to a remote server to fetch and perform commands for searching for/listing/deleting/renaming files, downloading/uploading files to/from the device, taking screenshots, installing application packages (APK), recording audio and video, and updating the malware.

The repackaged applications pose as communication, news, lifestyle, book, and reference apps that are commonly used in the Middle East. Once executed on the compromised smartphone, GolfSpy generates a unique ID and then collects targeted data and writes it to a file on the device.

The malware operators can choose the data types to collect, Trend Micro’s security researchers have discovered. All stolen data is encrypted using a simple XOR operation with a pre-configured key before it is sent to the command and control (C&C) server via HTTP POST requests.

Advertisement. Scroll to continue reading.

The malware was also observed creating a socket connection to the remote C&C server to receive and perform additional commands. The socket connection is also used to send the encrypted data to the C&C server (a different encryption key is used than when sending over HTTP).

While just over 660 devices have been infected to date, the number is expected to increase and the campaign to diversify in terms of distribution, Trend Micro says.

The campaign’s operators attempted to cover their tracks by masking the registrant contact details of the C&C domains, for instance. Additionally, they used disparate C&C server IP addresses, which were located in many European countries, including Russia, France, the Netherlands, and Germany.

“As we’ve seen in last year’s mobile threat landscape, we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity, employing tried-and-tested techniques to lure unwitting users. The extent of information that these kinds of threats can steal is also significant, as it lets attackers virtually take over a compromised device,” Trend Micro concludes.

Related: Chinese Cyber-Spies Target Government Organizations in Middle East

Related: State-Sponsored Hackers Use Sophisticated DNS Hijacking in Ongoing Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.