Security researchers at Trend Micro have spotted a
Threat actors are using a piece of malware detected as GolfSpy, that implements multiple features and can hijack the victim’s device.
GolfSpy could steal the following information:
Attackers distributed the malware in tainted legitimate applications that are hosted on websites advertised on social media. The tainted applications pose as communication, news, lifestyle, book, and reference apps that are commonly used in the Middle East.
“We uncovered a
According to the experts that have analyzed the command and control (C&C) servers used in the Bouncing Golf campaign, more than 660 Android devices have been infected with GolfSpy malware. The attackers appear to be focused
The researchers speculate on a possible connection to Domestic Kitten espionage activities, an extensive surveillance operation conducted by Iranian APT actor aimed at specific groups of individuals since 2016.
Experts found some similarities between the similarly structured strings of code and the format of the data targeted for theft.
The GolfSpy malware is also able to connect to a remote server to fetch and perform a broad range of commands such as searching for/listing/deleting/renaming files, downloading/uploading files to/from the device, taking screenshots, installing application packages (APK), recording audio and video, and updating the malware.
Once the malware is executed, it generates a unique ID and then collects targeted data and writes it to a file on the mobile device.
The malicious code allows the attackers to choose the data types to collect, stolen data is encrypted using a simple XOR operation with a pre-configured key, then it is sent to the C2 via HTTP POST requests.
The operators behind the Bouncing Golf
“As we’ve seen in last year’s mobile threat landscape, we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity, employing tried-and-tested techniques to lure unwitting users.” Trend Micro concludes. “The extent of information that these kinds of threats can steal is also significant, as it lets attackers virtually take over a compromised device,”