A newly discovered cyber espionage campaign has been targeting Android users in the Middle East with malware designed to steal scores of device information, snoop on victims and potentially take over mobile devices.
Known as GolfSpy, the malware is found in once-legitimate applications that have been repackaged to contain malicious code, according to a June 18 blog post from Trend Micro, whose researchers uncovered the operation.
The researchers did not find these apps in either the Google Play store or third-party marketplaces. Instead, they were observed on a host website that was promoted on social media. Repackaged apps include the Kik, Imo, Plus Messenger, Telegram, Signal and WhatsApp Business messaging apps, as well as various lifestyle, book and reference apps typically used by Middle Easterners.
So far, much of the information stolen by GolfSpy looks to be related to the military, according to the report — an observation that might possibly reveal the perpetrators’ top choice of target. More than 660 devices are known to have been infected, “but we also expect it to increase or even diversify in terms of distribution,” state blog post authors and Trend Micro researchers Ecular Xu and Grey Guo.
According to TrendMicro, GolfSpy is capable of stealing a wealth of information, including device accounts, lists of installed applications, running processes, battery status, bookmarks and histories of the default browser, call logs and records, clipboard contents, contacts (including those in VCard format), mobile operator information, files stored on an SDcard, device location, storage and memory information, connection information, sensor information, SMS messages, pictures, and lists of stored image, audio and video files.