SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
ESET uncovers chat app malware spying and stealing user's data
Tue, 14th Jul 2020
FYI, this story is more than a year old

ESET researchers have discovered a new operation that masquerades as a chat app to spy on users and leak stolen data.

The operation is reportedly part of a long-running cyber-espionage campaign in the Middle East, that is said to have links to the threat actor group known as Gaza Hackers, or Molerats.

Instrumental in the operation is Android app Welcome Chat, which serves as spyware while also delivering the promised chatting functionality.

The malicious website promoting and distributing the app claims to offer a secure chat platform that is available on the Google Play store. This claim is entirely false, ESET researchers state.

According to the researchers, the Welcome Chat app behaves like any chat app downloaded from outside Google Play in that it needs the setting ‘Allow installing apps from unknown sources' to be activated.

After installation, it requests permission to send and view SMS messages, access files, and record audio, as well as requesting access contacts and device location.

Immediately after receiving the permissions, Welcome Chat starts receiving commands from its Command and Control (C-C) server, and it uploads any harvested information.

Besides chat messages, the app steals information such as sent and received SMS messages, history of calls, contact list, photos, phone call recordings and GPS location of the device, according to ESET.

The Welcome Chat espionage app belongs to a known Android malware family and shares infrastructure with a previously documented espionage campaign named BadPatch, which also targeted the Middle East.

BadPatch has been attributed to the Gaza Hackers, aka Molerats, threat actor group. Based on this, ESET researchers state they believe this campaign with the new Android trojans comes from the same threat actors.

ESET researcher who conducted analysis of Welcome Chat, Lukas Stefanko says, “In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store.

He says, “Unfortunately for the victims, the Welcome Chat app, including its infrastructure, was not built with security in mind. Transmitted data is not encrypted, and because of that, not only is it freely accessible to the attacker, but also to anyone on the same network.

ESET researchers tried to establish whether Welcome Chat is an attacker-trojanised version of a clean app, or a malicious app developed from scratch.

Stefanko says, “We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation.

While the Welcome Chat-based espionage operation seems to be narrowly targeted, ESET strongly discourages users from installing apps from outside the official Google Play store, unless it's a trusted source such as the website of an established security vendor or some reputable financial institution.

In addition, users should pay attention to what permissions their apps require and be suspicious of any apps that require permissions beyond their functionality, and, as a very basic security measure, users should run a reputable security app on their mobile devices, ESET states.