Malicious Chat App Targets Android Users in Middle EastReport: 'Welcome Chat' Advertised as 'Safe' for Users
A malicious app called Welcome Chat has been spotted targeting Android users in Middle Eastern countries - where chat apps are illegal, according to new report by security firm ESET.
The malicious app is a fully functioning chat app, but underneath the hood is spyware capable of stealing an Android user's data. ESET suspects the app is associated with Molerats - a threat group with ties to a Gaza hacker gang – that distributed BadPatch cyber espionage malware.
The operators behind the Welcome Chat app are spreading it through an Arabic website registered in October 2019 that caters to those living in countries where chat apps are illegal, the ESET researchers say. The threat actors falsely claim that the app is a secure messaging platform that can be downloaded from the Google Play Store.
"It is a functioning chat app that delivers the promised functionality along with its hidden espionage capacity. The Welcome Chat espionage app seems to have targeted Arabic-speaking users: Both the default website language and default in-app language are Arabic," says Lukas Stefanko, an ESET researcher.
Stefanko points out that the operators of the app appear to be using poor operational security because the information is uploaded using HTTP, so the data is not encrypted.
How the App Works
Almost immediately after the app is opened, it requests the user allow for the "installing of apps from unknown sources" from the "settings" menu. This is a strong indicator that the app is malicious, the ESET researchers say. This request also helps prove that the app is not being downloaded legitimately from the Google Play Store but from a third-party app store, according to the report.
Once installation is complete, the app requests the victim allow it to send and view SMS messages, access files, record audio and access contacts and device locations, the researchers note.
Next, the users are required to register and create a personal account in order to communicate with other users of the app. Once this information is received, the app sends information about the device to a command-and-control server and then proceeds to contact this server every five minutes, Stefanko notes.
The exfiltrated data includes user's chat communications, sent and received SMS messages, call log history, contact list, user photos, recorded phone calls, the GPS location of the device and device info, according to the researchers.
Although it’s common for malicious actors to convert a legitimate product into an attack vehicle, the ESET researchers believe that this malicious app was built from scratch by the attackers.
"Typically, Trojanized apps are created via a process of appending the malicious functionality to a legitimate app,” Sefanko says. “The bad guys find and download a suitable app. After decompiling it, they add the malicious functionality and recompile the now malicious yet still functioning app to spread it among their desired audience.”
But in this case no "clean" version of the Welcome Chat app has been found in any online market, he adds.
The ESET researchers found debug logs left in the code that offered other insights into how it was created. "We were able to determine that most of the malicious code was copied from publicly available open source code projects and code example snippets available on public forums," the report notes.
This information, along with some additional data, led ESET to conclude that the actors behind Welcome Chat likely also operated BadPatch.
"The Welcome Chat espionage app belongs to the very same Android malware family that we identified at the beginning of 2018. That malware used the same command-and-control server, pal4u.net, as the espionage campaign targeting the Middle East that was identified in late 2017 by Palo Alto Networks and named BadPatch," the ESET report notes.
Recent Malicious Apps Incidents
Attackers have increasingly targeted Android users.
For example, earlier this month, Check Point Research reported a new version of the Joker mobile malware that infects Android devices. The malware, hidden within 11 seemingly legitimate apps in the Google Play Store, evaded the app store's security tools (see: Updated Joker Android Malware Adds Evasion Techniques).
Malwarebytes researchers also recently reported fraudsters were able to insert a Trojan called Cereberus into the Play Store by hiding it within a money converter app (see: Cereberus Banking Trojan Targeted Spanish Android Users).