19 June 2019

Bouncing Golf cyberespionage campaign targets Android users with GolfSpy malware

Bouncing Golf cyberespionage campaign targets Android users with GolfSpy malware

A newly uncovered cyber espionage campaign has been targeting Android users in the Middle Eastern countries with malware designed to steal a wide range of data from infected devices. So far researchers at Trend Micro, who discovered the operation, have observed more than 660 infected Android devices and much of the information being stolen appear to be military-related.

In the new campaign, which has been named “Bouncing Golf” based on the malware’s code in the package named “golf,” the attackers infect victims’ devices with the highly invasive GolfSpy malware that is hidden inside once-legitimate applications that have been repackaged to contain malicious code. Repackaged apps include the Kik, Imo, Plus Messenger, Telegram, Signal and WhatsApp Business messaging apps, as well as various lifestyle, book and reference apps that are popular among Middle Easterners.

Instead of hosting malware-laden apps on Google Play or popular third-party app marketplaces, the campaign operators are distributing the apps via website, which is being promoted on social media.

The GolfSpy malware is able to steal a wealth of information, including device accounts, lists of installed applications, running processes, battery status, bookmarks and histories of the default browser, call logs and records, clipboard contents, contacts (including those in VCard format), mobile operator information, files stored on an SDcard, device location, storage and memory information, connection information, sensor information, SMS messages, pictures, and lists of stored image, audio and video files.

Additionally, GolfSpy can perform commands used for cyber espionage purposes, including searching for, listing, deleting, and renaming files as well as downloading a file into and retrieving a file from the device; taking screenshots; installing other application packages (APK); recording audio and video; and updating the malware.

The campaign operators also try to cover their activity. For instance, the registrant contact details of the C&C domains used in the campaign were masked. The C&C server IP addresses used also appear to be disparate, as they were located in many European countries like Russia, France, the Netherlands, and Germany.

The experts also note that “Bouncing Golf” campaign could possibly be related to a previously reported mobile cyber espionage campaign named “Domestic Kitten”, which has been attributed by security researchers to Iranian state actors and is known to target Iranians, as well as Kurdish and Urdu natives, ISIS supporters and Yemeni citizens. According to Trend Micro, “Bouncing Golf” and “Domestic Kitten” operations share the same strings of code for their decoding algorithm, both campaigns repackage apps that are commonly used in their target’s countries, and both organize their stolen data using unique identifying characters.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019