19 June 2019

Bouncing Golf cyberespionage campaign targets Android users with GolfSpy malware

Bouncing Golf cyberespionage campaign targets Android users with GolfSpy malware

A newly uncovered cyber espionage campaign has been targeting Android users in the Middle Eastern countries with malware designed to steal a wide range of data from infected devices. So far researchers at Trend Micro, who discovered the operation, have observed more than 660 infected Android devices and much of the information being stolen appear to be military-related.

In the new campaign, which has been named “Bouncing Golf” based on the malware’s code in the package named “golf,” the attackers infect victims’ devices with the highly invasive GolfSpy malware that is hidden inside once-legitimate applications that have been repackaged to contain malicious code. Repackaged apps include the Kik, Imo, Plus Messenger, Telegram, Signal and WhatsApp Business messaging apps, as well as various lifestyle, book and reference apps that are popular among Middle Easterners.

Instead of hosting malware-laden apps on Google Play or popular third-party app marketplaces, the campaign operators are distributing the apps via website, which is being promoted on social media.

The GolfSpy malware is able to steal a wealth of information, including device accounts, lists of installed applications, running processes, battery status, bookmarks and histories of the default browser, call logs and records, clipboard contents, contacts (including those in VCard format), mobile operator information, files stored on an SDcard, device location, storage and memory information, connection information, sensor information, SMS messages, pictures, and lists of stored image, audio and video files.

Additionally, GolfSpy can perform commands used for cyber espionage purposes, including searching for, listing, deleting, and renaming files as well as downloading a file into and retrieving a file from the device; taking screenshots; installing other application packages (APK); recording audio and video; and updating the malware.

The campaign operators also try to cover their activity. For instance, the registrant contact details of the C&C domains used in the campaign were masked. The C&C server IP addresses used also appear to be disparate, as they were located in many European countries like Russia, France, the Netherlands, and Germany.

The experts also note that “Bouncing Golf” campaign could possibly be related to a previously reported mobile cyber espionage campaign named “Domestic Kitten”, which has been attributed by security researchers to Iranian state actors and is known to target Iranians, as well as Kurdish and Urdu natives, ISIS supporters and Yemeni citizens. According to Trend Micro, “Bouncing Golf” and “Domestic Kitten” operations share the same strings of code for their decoding algorithm, both campaigns repackage apps that are commonly used in their target’s countries, and both organize their stolen data using unique identifying characters.

Back to the list

Latest Posts

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

The Iranian state-sponsored hackers Charming Kitten employed new spear-phishing methods in a campaign observed in August and September.
10 October 2019
Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

It is estimated that more than 6,500 sites are affected, that number could be even higher.
10 October 2019
Featured vulnerabilities
Remote code execution in Bento4 media player
High Not Patched | 13 Oct, 2019
Use-after-free in libvips library
Medium Patched | 13 Oct, 2019
Denial of service in MATIO
Low Not Patched | 13 Oct, 2019
Cross-site scripting in Openfire
Low Patched | 12 Oct, 2019