A recently uncovered cyberespionage campaign is targeting the users of Android devices in Middle Eastern countries, Trend Micro’s security researchers reveal.
Dubbed “Bouncing Golf,” the campaign uses a piece of malware detected as GolfSpy, which packs a wide range of cyberespionage capabilities. The malicious code is hidden inside repackaged legitimate applications that are being distributed through hosting websites promoted on social media.
To date, the campaign appears to have infected over 660 Android devices, mainly seeking to steal military-related information from them.
The operation might be related to the previously observed Domestic Kitten cyberespionage campaign, given the similarly structured strings of code and the similar format of the data targeted for theft. Once installed on an Android device, the GolfSpy malware can effectively hijack it, Trend Micro reveals.
The threat can steal information such as device accounts, list of installed applications, current running processes, battery status, bookmarks/history of the device’s default browser, call logs and records, clipboard content, contacts, mobile operator information, files on SD card, device location, list of image/audio/video files on the device, storage/memory/connection/sensor information, and SMS messages.
The malware can also connect to a remote server to fetch and perform commands for searching for/listing/deleting/renaming files, downloading/uploading files to/from the device, taking screenshots, installing application packages (APK), recording audio and video, and updating the malware.
The repackaged applications pose as communication, news, lifestyle, book, and reference apps that are commonly used in the Middle East. Once executed on the compromised smartphone, GolfSpy generates a unique ID and then collects targeted data and writes it to a file on the device.
The malware operators can choose the data types to collect, Trend Micro’s security researchers have discovered. All stolen data is encrypted using a simple XOR operation with a pre-configured key before it is sent to the command and control (C&C) server via HTTP POST requests.
The malware was also observed creating a socket connection to the remote C&C server to receive and perform additional commands. The socket connection is also used to send the encrypted data to the C&C server (a different encryption key is used than when sending over HTTP).
While just over 660 devices have been infected to date, the number is expected to increase and the campaign to diversify in terms of distribution, Trend Micro says.
The campaign’s operators attempted to cover their tracks by masking the registrant contact details of the C&C domains, for instance. Additionally, they used disparate C&C server IP addresses, which were located in many European countries, including Russia, France, the Netherlands, and Germany.
“As we’ve seen in last year’s mobile threat landscape, we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity, employing tried-and-tested techniques to lure unwitting users. The extent of information that these kinds of threats can steal is also significant, as it lets attackers virtually take over a compromised device,” Trend Micro concludes.