Posted on 07-15-2020.
ESET researchers have discovered a new major privacy threat within a “long-running cyber-espionage campaign” in the Middle East. The new malicious agent is an Android messenger app Welcome Chat. The rogue app is believed to be linked to the Gaza Hackers group a.k.a Molerats.
“Based on the functionality, hackers might use it to spy on users’ activity. This Welcome Chat app might be used in targeted espionage to make targeted individuals install it and even communicate via it,” says Lukas Stefanko, Malware Researcher at ESET.The app is designed to send data and receive commands to/from the C&C server every five minutes. Other than its main purpose—monitoring private messaging of its users—the app is capable of several other malicious actions:
“This malware allows the attacker to extract sent and received SMS messages, get call log history, obtain contact list, user photos, can record user’s phone calls, GPS location of the device, and exchanged chat messages from this Welcome Chat app,” noted Lukas Stefanko.
“There is a major question mark with this option: to this day, we have not been able to discover any clean version of the Welcome Chat app,” the report reads.“This leads us to believe that the attackers developed the malicious chat app on their own. Creating a chat app for Android is not difficult; there are many detailed tutorials on the internet. With this approach, the attackers have better control over the compatibility of the app’s malicious functionality with its legitimate functions, so they can ensure that the chat app will work.”
“The database contains data such as name, email, phone number, device token, profile picture, messages, and friends list–in fact, all the users’ data except for the account passwords can be found uploaded to the unsecured server,” explained Lukas Stefanko.
“The Welcome Chat espionage app belongs to the very same Android malware family that we identified at the beginning of 2018. That malware used the same C&C server, pal4u.net, as the espionage campaign targeting the Middle East that was identified in late 2017 by Palo Alto Networks and named BadPatch. In late 2019, Fortinet described yet another espionage operation focused on Palestinian targets with the domain pal4u.net among its indicators of compromise,” the research reads.
“In this case, it is really hard to conclude this app is fishy for the user since it requests permissions that would be naturally requested by any other messaging app. My advice would be that if the user can’t verify the legitimacy of the website or the app, I would suggest using a trustworthy security solution that is up-to-date before installing this app,” Stefanko concludes.Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.