July 14, 2020

Welcome Chat: Fake messaging app steals sensitive mobile data

By Robert Scammell

Security researchers have uncovered a fake mobile chat app that steals phone data and has ties to a long-running cyber espionage campaign in the Middle East.

Welcome Chat works as a functioning messaging app but behind the scenes it is harvesting user data for spying purposes, according to the researchers at cybersecurity firm ESET.

During installation, Welcome Chat asks for permission to allow apps to be installed from “unknown sources”. It also asks for access to SMS messages, files, location data, contacts and the ability to record audio – permissions that users are accustomed to giving.

Once these permissions are granted the app immediately starts harvesting user data – including SMS messages, phone recordings and GPS location – and sending it back to the criminal hackers.

To make matters worse, stolen data is accessible to others on the same network.

Welcome Chat: Spilling data

The people behind Welcome Chat falsely advertised the app as being on the Google Play store, where apps are heavily scrutinised by Google and cybersecurity companies – including ESET.

“In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store,” says Lukáš Štefanko, the ESET researcher who conducted the analysis of Welcome Chat.

The malware infrastructure underpinning the Welcome Chat app has similarities to a previously documented espionage campaign in the Middle East, known as ‘BadPatch’.

This malware has been connected to the threat group ‘Gaza Hackers’, also known as the Molerats. The group has been active since 2012 and has targeted victims in the Middle East, US and EU.

“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation,” said Štefanko.

Jake Moore, cybersecurity specialist at ESET, told Verdict that it’s “vital” to properly research an app you intend to use for sending sensitive data before downloading.

“There are plenty of well-known encrypted privacy-focused apps on the stores that help protect the users,” he said.

“False claims are rare but it highlights the importance to look into the background on apps and check for multiple reviews. Users should be vigilant and remain cautious of anything that asks to ‘Allow installing apps from unknown sources’ as this can be very damaging when permissions are granted and handed over.”

Read more: Contact tracing apps: “It’s better to do it right than quick”

Verdict deals analysis methodology

This analysis considers only announced and completed cloud-deals deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,