Security researchers have uncovered a fake mobile chat app that steals phone data and has ties to a long-running cyber espionage campaign in the Middle East.

Welcome Chat works as a functioning messaging app but behind the scenes it is harvesting user data for spying purposes, according to the researchers at cybersecurity firm ESET.

During installation, Welcome Chat asks for permission to allow apps to be installed from “unknown sources”. It also asks for access to SMS messages, files, location data, contacts and the ability to record audio – permissions that users are accustomed to giving.

Once these permissions are granted the app immediately starts harvesting user data – including SMS messages, phone recordings and GPS location – and sending it back to the criminal hackers.

To make matters worse, stolen data is accessible to others on the same network.

Welcome Chat: Spilling data

The people behind Welcome Chat falsely advertised the app as being on the Google Play store, where apps are heavily scrutinised by Google and cybersecurity companies – including ESET.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

“In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store,” says Lukáš Štefanko, the ESET researcher who conducted the analysis of Welcome Chat.

The malware infrastructure underpinning the Welcome Chat app has similarities to a previously documented espionage campaign in the Middle East, known as ‘BadPatch’.

This malware has been connected to the threat group ‘Gaza Hackers’, also known as the Molerats. The group has been active since 2012 and has targeted victims in the Middle East, US and EU.

“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation,” said Štefanko.

Jake Moore, cybersecurity specialist at ESET, told Verdict that it’s “vital” to properly research an app you intend to use for sending sensitive data before downloading.

“There are plenty of well-known encrypted privacy-focused apps on the stores that help protect the users,” he said.

“False claims are rare but it highlights the importance to look into the background on apps and check for multiple reviews. Users should be vigilant and remain cautious of anything that asks to ‘Allow installing apps from unknown sources’ as this can be very damaging when permissions are granted and handed over.”

Read more: Contact tracing apps: “It’s better to do it right than quick”