Attacker-Developed Chat App Used Public Code to Spy, Exposes User Data

Hundreds of malicious apps have been showing up on the Google Play Store, disguised as legitimate applications. In July 2020, ESET researchers found an Android-based chat app that was working as spyware and targeted users in the Middle East.

The malicious ‘Welcome Chat’ app

The hackers were advertising the app named ‘Welcome Chat’ and claimed it to be a secure communication solution. Working as an espionage tool, the app left the data harvested from their victims freely available on the internet.
  • The app asks the victims for normal permissions required for a chat app, and after getting the consent, it sends information about the device to its C&C and contacts the C&C server every five minutes for further instructions. The app has a lack of basic security like encrypting the data in transit.
  • The Welcome Chat app monitors the chat communications of its users as its core espionage functionality. As a complementary action, it infiltrates the sent and received SMS messages, calls log history, photos, contacts, recorded phone calls, the GPS location of the device, and device information.
  • The operation appears to have links to the malware named BadPatch, identified in 2017, that was used by the Gaza Hackers threat actor group, also known as Molerats.

Messaging apps on the target

In recent attacks, hackers were seen targeting several popular messaging apps.
  • In April 2020, the Evil Eye threat actor used an application named INSOMNIA, which targeted WeChat, Signal app, and many other apps and stole users' data from these apps.
  • In March 2020, a new form of iOS malware called LightSpy compromised the Wechat, and QQ messaging apps, exfiltrating account information, contacts, groups, messages, and files in a watering hole attack campaign.

Security recommendations

Users should not install any apps from outside the Google Play store or any non-trusted sources. Pay attention and be vigilant about what permissions various apps require. Run a reputable security solution on the devices to scan for any existing threats.