ESET researchers have discovered a new operation within a long-running cyber-espionage campaign in the Middle East, apparently with links to the threat actor group known as Gaza Hackers, or Molerats.
Instrumental in the operation is an Android app, Welcome Chat, which serves as spyware while also delivering the promised chatting functionality. The malicious website promoting and distributing the app claims to offer a secure chat platform that is available on the Google Play store. Both those claims are false; the claim of being “secure” couldn’t be further from the truth, according to ESET researchers.
“In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store,” says Lukáš Štefanko, the ESET researcher who conducted the analysis of Welcome Chat.
The Welcome Chat app behaves like any chat app downloaded from outside Google Play: it needs the setting “Allow installing apps from unknown sources” to be activated. After installation, it requests permission to send and view SMS messages, access files, and record audio, as well as requesting access contacts and device location. Immediately after receiving the permissions, Welcome Chat starts receiving commands from its Command and Control (C&C) server, and it uploads any harvested information. Besides chat messages, the app steals information such as sent and received SMS messages, history of calls, contact list, photos, phone call recordings and GPS location of the device.
ESET researchers tried to establish whether Welcome Chat is an attacker-trojanized version of a clean app, or a malicious app developed from scratch. “We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation,” explains Štefanko.
The Welcome Chat espionage app belongs to a known Android malware family and shares infrastructure with a previously documented espionage campaign named BadPatch, which also targeted the Middle East. BadPatch has been attributed to the Gaza Hackers, aka Molerats, threat actor group. Based on this, we believe that this campaign with the new Android trojans comes from the same threat actors.