Security Researchers recently discovered a new malware trojan called GolfSpythat targets android phone users in the Middle East and was designed to steal personal information and potentially take control over mobile devices.The malware’s cyberespionage campaign was named “Bouncing Golf”based on the malware’s code in the package named “golf.”This info-stealing malware is known for its wide range of cyberespionage capabilities. Cyberespionage is a form of cyberattack that steals classified, sensitive data or intellectual property to gain an advantage over a competitive company or government entity.The goal is typically to acquire intellectual property or government secrets.
This info-stealing malware was found to be attached in apps that the operators repackaged from once-legitimate applications. Kik, Imo, Plus Messenger, Telegram, Signal and WhatsApp Business messaging apps are included in the repackaged apps as well as various lifestyle, book and reference apps typically used by Android users in the Middle East.These legitimate mobile applications were not found in either the Google Play store or other third-party marketplaces but were found on a host website that was promoted on social media.
Researchers undergone malware check and according to their observations, GolfSpy malware stole military-related information, which reveals the perpetrators’ top choice of target.Researchers monitor the command and control (C&C) servers of the Bouncing Golf and found out more than 660 Android devices were infected with GolfSpy. Though it was not understandable that only small or limited numbers of android devices have been affected by the Bouncing Golf campaign, researchers expect it to increase or even diversify in terms of distribution.
This GolfSpy malware has the ability to steal a wealth of information including device accounts, lists of installed applications, running processes, battery status, bookmarks and histories of the default browser, call logs and records, clipboard contents, contacts, and mobile operator information. Moreover, it could also creep into SD cards and steal the files stored such as device location, storage and memory information, connection information, sensor information, SMS messages, pictures, and lists of stored image, audio and video files.
Aside from stealing information from an android device, GolfSpy malware can also connect to a remote server to collect and perform commands including searching for, listing, deleting, and renaming files as well as downloading a file into and retrieving a file from the device. Moreover, it can also perform additional commands used for espionage purposes, including recording audio and video,taking screenshots, installing additional application packages, and updating malware.
The registrant contact details of the C&C domains used in the campaign were masked to cover the operators’ tracks. GolfSpy then encrypts the stolen information to a malicious C2 server and communicates using the HTTP POST method and creates a socket connection to the remote C&C server in order to receive and perform additional commands.The C&C server IP addresses used in the attack was also different, as they were located in multiple European countries including Russia, France, Netherlands, and Germany.
Given the pervasiveness of the malware trojan, including tried-and-tested techniques to lure unaware users, researchers noted to the public that they expect more cyberespionage campaigns targeting the mobile platform this coming year.