sb-au logo
Story image

ESET uncovers chat app malware spying and stealing user's data

ESET researchers have discovered a new operation that masquerades as a chat app to spy on users and leak stolen data.

The operation is reportedly part of a long-running cyber-espionage campaign in the Middle East, that is said to have links to the threat actor group known as Gaza Hackers, or Molerats.

Instrumental in the operation is Android app Welcome Chat, which serves as spyware while also delivering the promised chatting functionality.

The malicious website promoting and distributing the app claims to offer a secure chat platform that is available on the Google Play store. This claim is entirely false, ESET researchers state.

According to the researchers, the Welcome Chat app behaves like any chat app downloaded from outside Google Play in that it needs the setting ‘Allow installing apps from unknown sources’ to be activated.

After installation, it requests permission to send and view SMS messages, access files, and record audio, as well as requesting access contacts and device location.

Immediately after receiving the permissions, Welcome Chat starts receiving commands from its Command and Control (C&C) server, and it uploads any harvested information.

Besides chat messages, the app steals information such as sent and received SMS messages, history of calls, contact list, photos, phone call recordings and GPS location of the device, according to ESET.

The Welcome Chat espionage app belongs to a known Android malware family and shares infrastructure with a previously documented espionage campaign named BadPatch, which also targeted the Middle East.

BadPatch has been attributed to the Gaza Hackers, aka Molerats, threat actor group. Based on this, ESET researchers state they believe this campaign with the new Android trojans comes from the same threat actors.

ESET researcher who conducted analysis of Welcome Chat, Lukas Stefanko says, “In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store.”

He says, “Unfortunately for the victims, the Welcome Chat app, including its infrastructure, was not built with security in mind. Transmitted data is not encrypted, and because of that, not only is it freely accessible to the attacker, but also to anyone on the same network.”

ESET researchers tried to establish whether Welcome Chat is an attacker-trojanised version of a clean app, or a malicious app developed from scratch.

Stefanko says, “We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation.”

While the Welcome Chat-based espionage operation seems to be narrowly targeted, ESET strongly discourages users from installing apps from outside the official Google Play store, unless it’s a trusted source such as the website of an established security vendor or some reputable financial institution.

In addition, users should pay attention to what permissions their apps require and be suspicious of any apps that require permissions beyond their functionality, and, as a very basic security measure, users should run a reputable security app on their mobile devices, ESET states.

Story image
Insider threat report reveals deception in the workforce
Insider threats come from people inside an enterprise, whether they divulge proprietary information with nefarious intentions, or are just careless employees that unwittingly share sensitive data, writes Bitglass product marketing manager Juan Lugo.More
Story image
COVID-19 crushes fingerprint reader market
However, the biometrics market is expected to regain momentum with alternatives already beginning to find their feet.More
Story image
Interview: How cyber hygiene supports security culture - ThreatQuotient
We spoke with ThreatQuotient’s APJC regional director Anthony Stitt to dig deeper into cyber hygiene, security culture, threat intelligence, and the tools that support them.More
Story image
Research: Younger cybersecurity pros more fearful of being replaced by AI
According to the findings, 53% of respondents under 45 years old either agreed or strongly agreed that AI and ML are a threat to their job security, despite 89% of this demographic believing that it would improve their jobs.More
Story image
Video: 10 Minute IT Jams - Who is LogRhythm?
LogRhythm VP of sales for Asia Pacific Simon Howe, who discusses the company's primary offerings and services, what products the company is focused on for the future, and the infrastructure it has in the A/NZ market.More
Story image
On October 28, go from CX starter to champion with Zendesk
There could not be a better way to get at the heart of this topic than hearing from the experts whose mission it is to make sure customer service is the best of the best.More