A newly uncovered cyber espionage campaign has been targeting Android users in the Middle Eastern countries with malware designed to steal a wide range of data from infected devices. So far researchers at Trend Micro, who discovered the operation, have observed more than 660 infected Android devices and much of the information being stolen appear to be military-related.
In the new campaign, which has been named “Bouncing Golf” based on the malware’s code in the package named “golf,” the attackers infect victims’ devices with the highly invasive GolfSpy malware that is hidden inside once-legitimate applications that have been repackaged to contain malicious code. Repackaged apps include the Kik, Imo, Plus Messenger, Telegram, Signal and WhatsApp Business messaging apps, as well as various lifestyle, book and reference apps that are popular among Middle Easterners.
Instead of hosting malware-laden apps on Google Play or popular third-party app marketplaces, the campaign operators are distributing the apps via website, which is being promoted on social media.
The GolfSpy malware is able to steal a wealth of information, including device accounts, lists of installed applications, running processes, battery status, bookmarks and histories of the default browser, call logs and records, clipboard contents, contacts (including those in VCard format), mobile operator information, files stored on an SDcard, device location, storage and memory information, connection information, sensor information, SMS messages, pictures, and lists of stored image, audio and video files.
Additionally, GolfSpy can perform commands used for cyber espionage purposes, including searching for, listing, deleting, and renaming files as well as downloading a file into and retrieving a file from the device; taking screenshots; installing other application packages (APK); recording audio and video; and updating the malware.
The campaign operators also try to cover their activity. For instance, the registrant contact details of the C&C domains used in the campaign were masked. The C&C server IP addresses used also appear to be disparate, as they were located in many European countries like Russia, France, the Netherlands, and Germany.
The experts also note that “Bouncing Golf” campaign could possibly be related to a previously reported mobile cyber espionage campaign named “Domestic Kitten”, which has been attributed by security researchers to Iranian state actors and is known to target Iranians, as well as Kurdish and Urdu natives, ISIS supporters and Yemeni citizens. According to Trend Micro, “Bouncing Golf” and “Domestic Kitten” operations share the same strings of code for their decoding algorithm, both campaigns repackage apps that are commonly used in their target’s countries, and both organize their stolen data using unique identifying characters.