Left Menu
Development News Edition

ESET discovers new operation within cyber-espionage campaign in Middle East

Instrumental in the operation is an Android app, Welcome Chat, which serves as spyware while also delivering the promised chatting functionality.

Devdiscourse News Desk | Updated: 15-07-2020 08:20 IST | Created: 15-07-2020 08:20 IST
ESET discovers new operation within cyber-espionage campaign in Middle East
ESET researchers tried to establish whether Welcome Chat is an attacker-trojanized version of a clean app or a malicious app developed from scratch. Image Credit: Pexels

ESET researchers have discovered a new operation within a long-running cyber-espionage campaign in the Middle East, apparently with links to the threat actor group known as Gaza Hackers or Molerats.

Instrumental in the operation is an Android app, Welcome Chat, which serves as spyware while also delivering the promised chatting functionality. The malicious website promoting and distributing the app claims to offer a secure chat platform that is available on the Google Play store. Both those claims are false; the claim of being "secure" couldn't be further from the truth, according to ESET researchers.

"In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store," says Lukáš Štefanko, the ESET researcher who conducted the analysis of Welcome Chat.

The Welcome Chat app behaves like any chat app downloaded from outside Google Play: it needs the setting "Allow installing apps from unknown sources" to be activated. After installation, it requests permission to send and view SMS messages, access files, and record audio, as well as requesting access contacts and device location. Immediately after receiving the permissions, Welcome Chat starts receiving commands from its Command and Control (C&C) server, and it uploads any harvested information. Besides chat messages, the app steals information such as sent and received SMS messages, history of calls, contact list, photos, phone call recordings and GPS location of the device.

"Unfortunately for the victims, the Welcome Chat app, including its infrastructure, was not built with security in mind. Transmitted data is not encrypted, and because of that, not only is it freely accessible to the attacker, but also to anyone on the same network," comments Štefanko.

ESET researchers tried to establish whether Welcome Chat is an attacker-trojanized version of a clean app or a malicious app developed from scratch. "We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation," explains Štefanko.

The Welcome Chat espionage app belongs to a known Android malware family and shares infrastructure with a previously documented espionage campaign named BadPatch, which also targeted the Middle East. BadPatch has been attributed to the Gaza Hackers, aka Molerats, threat actor group. Based on this, we believe that this campaign with the new Android trojans comes from the same threat actors.

While the Welcome Chat-based espionage operation seems to be narrowly targeted, ESET strongly discourages users from installing apps from outside the official Google Play store – unless it's a trusted source, such as the website of an established security vendor or some reputable financial institution. On top of that, users should pay attention to what permissions their apps require and be suspicious of any apps that require permissions beyond their functionality – and, as a very basic security measure, users should run a reputable security app on their mobile devices.


TRENDING

OPINION / BLOG / INTERVIEW

5G will be the key driving force for COVID-19 recovery: Here's how?

... ...

Canada’s COVID-19 pitfalls highlight need for integrated health information system

In the globalized world of today where outbreaks can spread far and wide within a matter of days, a global-level integrated health information system is ideal but Canadas provincial barriers show that the country lags much behind in deployi...

Pandemic must be impetus, not obstacle, for clean water access

To make matters worse, there are suspicions that the inadequacy of wastewater treatment methods in California, the rest of the USA, and indeed around the world may help to propagate the disease even more widely. ...

3D printing and the future of manufacturing post COVID-19

The on-demand, customizable, and localized manufacturing of product components facilitated by 3D printing has the potential to redefine manufacturing but there are certain technical, mechanical, and legal limitations that, unless ...

Videos

Latest News

Tennis-Halep sets up final date with Mertens at Prague Open

Romanian top seed Simona Halep beat compatriot Irina-Camelia Begu in straight sets in the semi-finals of the Prague Open on Saturday to set up a final with third seed Elise Mertens of Belgium. Halep was broken three times in the first set b...

Dhoni leaves cricketing world overwhelmed with emotions

It trembled after the tremor. But the cricket community soon got its act together. It had to, to remember, savour, cherish and exhaust its stock of superlatives of all manner to adorn Mahendra Singh Dhoni after the eternal enigma quietly wa...

Biggest single-day spike of 8,818 new cases in Karnataka

Karnataka on Saturday reported the biggest single-day spike of over 8,800 new cases of COVID-19 and 114 related fatalities. With this, the total number of infections rose to 2,19,926 and death toll to 3,831 in the state, the health departme...

Photographer Punalur Rajan dead; Kerala CM condoles

Noted photographer Punalur Rajan died in Kozhikode on Saturday due to cardiac ailments, family sources said. He was 81.Kerala Chief Minister Pinarayi Vijayan condoled the death of Rajan and said he pursued history with a politicalinsight. T...

Give Feedback