Android Spyware Targets Security Job Seekers in Saudi Arabia

The Middle East is the new Wild West of mobile malware, especially for targeted attacks and intelligence gathering campaigns. During the past few years, Intel Security Mobile Research has monitored and reported on several countries in the region and has found an alarming increase in campaigns using mobile malware for not only disruption and hacktivism but also for intelligence gathering. Today we shed light on a new campaign targeting Saudi Arabia.

We have identified a campaign that is working in tandem with a job site that offers work for security personal in government or military jobs.

20160527-website

The spyware, Android/ChatSpy, was distributed as a private chat application. It steals user contacts, SMS messages, and voice calls from infected devices and forwards them to the attacker’s server, which is in the same location as the job site.

20160527-icon

The motives behind the spyware author are not clear, but considering the jobs that were being advertised on the site, the implications should not be underestimated. The leaked information poses a serious security threat. We have reported this spyware campaign to the Computer Emergency Response Team in Saudi Arabia for additional investigation.

Let’s take a look at spyware’s behavior. After it runs, the spyware shows only a screen with the network carrier and user’s phone number information, nothing more.

20160527-screenshot

At the same time, the spyware runs in the background and gathers device information, contacts, browser history, SMS messages, and call logs on the infected device, and posts them to the attacker’s server. Then Then the spyware sends the message “New victim arrived” to notify the attacker of the infection and hides its application icon from the menu to prevent uninstallation and keep its spying activities secret.

20160527-code1

The spyware keeps monitoring incoming SMS messages and takes screenshots, and records incoming/outgoing voice calls in the background. This user-sensitive information is also posted to the attacker’s server. The server runs a MySQL database and collects the data from infected devices. How is the information used? Most likely in a subsequent targeted attack.

20160527-code2

Although the spyware works cleanly and quietly, the application code is of poor quality. The spyware has “spy” in the package name, and the hardcoded SMS message to the attacker has “victim” in plain text. The spyware uses an open-source “call-recorder-for-android,” found on GitHub, to implement the voice-call recording function. With such sloppy coding, the spyware must have been developed in a rush job by a “script kiddie.”

Intel Security recommends you install mobile security software, and not trust applications downloaded from unknown sources. McAfee Mobile Security detects this threat as Android/ChatSpy and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

SHA-256 hash of analyzed sample(s):

  • 7cbf61fbb31c26530cafb46282f5c90bc10fe5c724442b8d1a0b87a8125204cb
  • 4aef8d9a3c4cc1e66a6f2c6355ecc38d87d9c81bb2368f4ca07b2a02d2e4923b

Control server:

  • hxxp://ksa-sef[dot]com/Hack%20Mobaile/

Leave a Comment

four − 3 =