19 June 2019

Bouncing Golf cyberespionage campaign targets Android users with GolfSpy malware


Bouncing Golf cyberespionage campaign targets Android users with GolfSpy malware

A newly uncovered cyber espionage campaign has been targeting Android users in the Middle Eastern countries with malware designed to steal a wide range of data from infected devices. So far researchers at Trend Micro, who discovered the operation, have observed more than 660 infected Android devices and much of the information being stolen appear to be military-related.

In the new campaign, which has been named “Bouncing Golf” based on the malware’s code in the package named “golf,” the attackers infect victims’ devices with the highly invasive GolfSpy malware that is hidden inside once-legitimate applications that have been repackaged to contain malicious code. Repackaged apps include the Kik, Imo, Plus Messenger, Telegram, Signal and WhatsApp Business messaging apps, as well as various lifestyle, book and reference apps that are popular among Middle Easterners.

Instead of hosting malware-laden apps on Google Play or popular third-party app marketplaces, the campaign operators are distributing the apps via website, which is being promoted on social media.

The GolfSpy malware is able to steal a wealth of information, including device accounts, lists of installed applications, running processes, battery status, bookmarks and histories of the default browser, call logs and records, clipboard contents, contacts (including those in VCard format), mobile operator information, files stored on an SDcard, device location, storage and memory information, connection information, sensor information, SMS messages, pictures, and lists of stored image, audio and video files.

Additionally, GolfSpy can perform commands used for cyber espionage purposes, including searching for, listing, deleting, and renaming files as well as downloading a file into and retrieving a file from the device; taking screenshots; installing other application packages (APK); recording audio and video; and updating the malware.

The campaign operators also try to cover their activity. For instance, the registrant contact details of the C&C domains used in the campaign were masked. The C&C server IP addresses used also appear to be disparate, as they were located in many European countries like Russia, France, the Netherlands, and Germany.

The experts also note that “Bouncing Golf” campaign could possibly be related to a previously reported mobile cyber espionage campaign named “Domestic Kitten”, which has been attributed by security researchers to Iranian state actors and is known to target Iranians, as well as Kurdish and Urdu natives, ISIS supporters and Yemeni citizens. According to Trend Micro, “Bouncing Golf” and “Domestic Kitten” operations share the same strings of code for their decoding algorithm, both campaigns repackage apps that are commonly used in their target’s countries, and both organize their stolen data using unique identifying characters.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024