Security Experts:

Connect with us

Hi, what are you looking for?



Cyberespionage Campaign Targets Android Users in Middle East

A recently uncovered cyberespionage campaign is targeting the users of Android devices in Middle Eastern countries, Trend Micro’s security researchers reveal.

A recently uncovered cyberespionage campaign is targeting the users of Android devices in Middle Eastern countries, Trend Micro’s security researchers reveal.

Dubbed “Bouncing Golf,” the campaign uses a piece of malware detected as GolfSpy, which packs a wide range of cyberespionage capabilities. The malicious code is hidden inside repackaged legitimate applications that are being distributed through hosting websites promoted on social media.

To date, the campaign appears to have infected over 660 Android devices, mainly seeking to steal military-related information from them.

The operation might be related to the previously observed Domestic Kitten cyberespionage campaign, given the similarly structured strings of code and the similar format of the data targeted for theft. Once installed on an Android device, the GolfSpy malware can effectively hijack it, Trend Micro reveals.

The threat can steal information such as device accounts, list of installed applications, current running processes, battery status, bookmarks/history of the device’s default browser, call logs and records, clipboard content, contacts, mobile operator information, files on SD card, device location, list of image/audio/video files on the device, storage/memory/connection/sensor information, and SMS messages.

The malware can also connect to a remote server to fetch and perform commands for searching for/listing/deleting/renaming files, downloading/uploading files to/from the device, taking screenshots, installing application packages (APK), recording audio and video, and updating the malware.

The repackaged applications pose as communication, news, lifestyle, book, and reference apps that are commonly used in the Middle East. Once executed on the compromised smartphone, GolfSpy generates a unique ID and then collects targeted data and writes it to a file on the device.

The malware operators can choose the data types to collect, Trend Micro’s security researchers have discovered. All stolen data is encrypted using a simple XOR operation with a pre-configured key before it is sent to the command and control (C&C) server via HTTP POST requests.

The malware was also observed creating a socket connection to the remote C&C server to receive and perform additional commands. The socket connection is also used to send the encrypted data to the C&C server (a different encryption key is used than when sending over HTTP).

While just over 660 devices have been infected to date, the number is expected to increase and the campaign to diversify in terms of distribution, Trend Micro says.

The campaign’s operators attempted to cover their tracks by masking the registrant contact details of the C&C domains, for instance. Additionally, they used disparate C&C server IP addresses, which were located in many European countries, including Russia, France, the Netherlands, and Germany.

“As we’ve seen in last year’s mobile threat landscape, we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity, employing tried-and-tested techniques to lure unwitting users. The extent of information that these kinds of threats can steal is also significant, as it lets attackers virtually take over a compromised device,” Trend Micro concludes.

Related: Chinese Cyber-Spies Target Government Organizations in Middle East

Related: State-Sponsored Hackers Use Sophisticated DNS Hijacking in Ongoing Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona