Left Menu
Development News Edition

ESET discovers new operation within cyber-espionage campaign in Middle East

Instrumental in the operation is an Android app, Welcome Chat, which serves as spyware while also delivering the promised chatting functionality.

Devdiscourse News Desk | Updated: 15-07-2020 08:20 IST | Created: 15-07-2020 08:20 IST
ESET discovers new operation within cyber-espionage campaign in Middle East
ESET researchers tried to establish whether Welcome Chat is an attacker-trojanized version of a clean app or a malicious app developed from scratch. Image Credit: Pexels

ESET researchers have discovered a new operation within a long-running cyber-espionage campaign in the Middle East, apparently with links to the threat actor group known as Gaza Hackers or Molerats.

Instrumental in the operation is an Android app, Welcome Chat, which serves as spyware while also delivering the promised chatting functionality. The malicious website promoting and distributing the app claims to offer a secure chat platform that is available on the Google Play store. Both those claims are false; the claim of being "secure" couldn't be further from the truth, according to ESET researchers.

"In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store," says Lukáš Štefanko, the ESET researcher who conducted the analysis of Welcome Chat.

The Welcome Chat app behaves like any chat app downloaded from outside Google Play: it needs the setting "Allow installing apps from unknown sources" to be activated. After installation, it requests permission to send and view SMS messages, access files, and record audio, as well as requesting access contacts and device location. Immediately after receiving the permissions, Welcome Chat starts receiving commands from its Command and Control (C&C) server, and it uploads any harvested information. Besides chat messages, the app steals information such as sent and received SMS messages, history of calls, contact list, photos, phone call recordings and GPS location of the device.

"Unfortunately for the victims, the Welcome Chat app, including its infrastructure, was not built with security in mind. Transmitted data is not encrypted, and because of that, not only is it freely accessible to the attacker, but also to anyone on the same network," comments Štefanko.

ESET researchers tried to establish whether Welcome Chat is an attacker-trojanized version of a clean app or a malicious app developed from scratch. "We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation," explains Štefanko.

The Welcome Chat espionage app belongs to a known Android malware family and shares infrastructure with a previously documented espionage campaign named BadPatch, which also targeted the Middle East. BadPatch has been attributed to the Gaza Hackers, aka Molerats, threat actor group. Based on this, we believe that this campaign with the new Android trojans comes from the same threat actors.

While the Welcome Chat-based espionage operation seems to be narrowly targeted, ESET strongly discourages users from installing apps from outside the official Google Play store – unless it's a trusted source, such as the website of an established security vendor or some reputable financial institution. On top of that, users should pay attention to what permissions their apps require and be suspicious of any apps that require permissions beyond their functionality – and, as a very basic security measure, users should run a reputable security app on their mobile devices.


TRENDING

OPINION / BLOG / INTERVIEW

Canada’s COVID-19 pitfalls highlight need for integrated health information system

In the globalized world of today where outbreaks can spread far and wide within a matter of days, a global-level integrated health information system is ideal but Canadas provincial barriers show that the country lags much behind in deployi...

Pandemic must be impetus, not obstacle, for clean water access

To make matters worse, there are suspicions that the inadequacy of wastewater treatment methods in California, the rest of the USA, and indeed around the world may help to propagate the disease even more widely. ...

3D printing and the future of manufacturing post COVID-19

The on-demand, customizable, and localized manufacturing of product components facilitated by 3D printing has the potential to redefine manufacturing but there are certain technical, mechanical, and legal limitations that, unless ...

How UK’s 'best prepared' healthcare system failed to gauge COVID-19

The UK is proud of their public health system and its unlike any other country as around 90 percent of British public supports the founding principles of National Health Service. But without accurate data being available to stakeholders in ...

Videos

Latest News

Lebanon registers record number of daily COVID-19 cases

Lebanon on Tuesday announced a record daily number of over 300 COVID-19 infections and seven deaths from the virus as the country grapples with the aftermath of the Beirut port explosion that rocked the capital and overwhelmed hospitals. Th...

British Airways reaches deal in principle with some Heathrow staff

British Airways has agreed a deal with trade unions representing parts of its workforce in Heathrow over planned job cuts, with the airlines chief executive saying significant progress had been made in a message to staff on Tuesday. On Frid...

Poet Rahat Indori laid to rest

Celebrated Urdu poet Rahat Indori, who died on Tuesday following a heart attack, was laid to rest in the presence of few relatives and close friends in the citys Choti Khajrani cemetery late in the evening. Because of the coronavirus pandem...

Watchdog report: Pompeo acted properly in Saudi arms sale

The State Departments internal watchdog has found that Secretary of State Mike Pompeo did not act improperly last year when he approved billions of dollars in arms sales to Saudi Arabia without the consent of Congress. The State Department ...

Give Feedback