{"id":9283,"date":"2020-07-15T21:20:51","date_gmt":"2020-07-15T18:20:51","guid":{"rendered":"https:\/\/forklog.media\/?p=9283"},"modified":"2020-07-16T21:18:49","modified_gmt":"2020-07-16T18:18:49","slug":"messenger-app-steals-user-data-and-hacks-their-devices-eset-research","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/messenger-app-steals-user-data-and-hacks-their-devices-eset-research\/","title":{"rendered":"Messenger App Steals User Data and Hacks Their Devices, ESET Research\u00a0"},"content":{"rendered":"<p>ESET researchers have <a href=\"https:\/\/www.welivesecurity.com\/2020\/07\/14\/welcome-chat-secure-messaging-app-nothing-further-truth\/\">discovered<\/a> a new major privacy threat within a \u201clong-running cyber-espionage campaign\u201d in the Middle East. The new malicious agent is an Android messenger app Welcome Chat. The rogue app is believed to be linked to the Gaza Hackers group a.k.a <a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/actor\/molerats\">Molerats<\/a>.<\/p>\n<p><!--more--><\/p>\n<h2>Hackers Spy on Vulnerable Demographics<\/h2>\n<p>Chat apps are banned or restricted in some Middle Eastern countries and so locals are often forced to download dubious messenger software from unofficial sources. This places malicious agents in a unique position where they can prey upon certain vulnerable demographics. The fact that Welcome Chat is specifically marketed to the Arabic audience is immediately obvious just from the app\u2019s website design.<\/p>\n<p><a href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/07\/Figure-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/07\/Figure-1.png\" alt=\"Welcome Chat app\u2019s Website\" width=\"1203\" height=\"871\" \/><\/a><\/p>\n<p><i>Welcome Chat app\u2019s Website.<\/i> <i>Source: <\/i><a href=\"https:\/\/www.welivesecurity.com\/2020\/07\/14\/welcome-chat-secure-messaging-app-nothing-further-truth\/\"><i>Welivesecurity<\/i><\/a><\/p>\n<p>According to the research, Welcome Chat is indeed a functioning messenger mostly used in Palestine, which also happens to spy on its users.<\/p>\n<p>On installation the app requests the user to grant several key permissions, including sending and viewing SMS messages, accessing files, recording audio, and accessing contacts and device location. Messaging apps often do require most of those permissions, hence even a suspicious user can let this one slip. Researchers believe that gaining access to these tools hackers can establish tight surveillance over a specific target:<\/p>\n<blockquote><p><b><i>\u201cBased on the functionality, hackers might use it to spy on users\u2019 activity. This Welcome Chat app might be used in targeted espionage to make targeted individuals install it and even communicate via it,\u201d <\/i><\/b><i>says Lukas Stefanko, Malware Researcher at ESET.<\/i><\/p><\/blockquote>\n<p>The app is designed to send data and receive commands to\/from the C&amp;C server every five minutes. Other than its main purpose\u2014monitoring private messaging of its users\u2014the app is capable of several other malicious actions:<\/p>\n<blockquote><p><b><i>\u201cThis malware allows the attacker to extract sent and received SMS messages, get call log history, obtain contact list, user photos, can record user\u2019s phone calls, GPS location of the device, and exchanged chat messages from this Welcome Chat app,\u201d <\/i><\/b><i>noted Lukas Stefanko.<\/i><\/p><\/blockquote>\n<h2>Born That Way<\/h2>\n<p>Hackers often do not bother with developing a working product just to slap malware on top of it. Usually, they adopt a clean app and \u201ctrojanize\u201d it. But in this case, researchers believe that the app was built by hackers from scratch.<\/p>\n<blockquote><p><b><i>\u201cThere is a major question mark with this option: to this day, we have not been able to discover any clean version of the Welcome Chat app,\u201d <\/i><\/b><i>the report reads.<\/i><b><i>\u201cThis leads us to believe that the attackers developed the malicious chat app on their own. Creating a chat app for Android is not difficult; there are many detailed tutorials on the internet. With this approach, the attackers have better control over the compatibility of the app\u2019s malicious functionality with its legitimate functions, so they can ensure that the chat app will work.\u201d<\/i><\/b><\/p><\/blockquote>\n<h2>Data Leaks in Real-Time<\/h2>\n<p>All private data gathered by the Welcome Chat app is available not only to the hackers but to every user on the network. This was made possible because the app uploads all stolen data to the attacker\u2019s server via unsecured HTTP and does not use encryption to protect the transmission.<\/p>\n<blockquote><p><b><i>\u201cThe database contains data such as name, email, phone number, device token, profile picture, messages, and friends list\u2013in fact, all the users\u2019 data except for the account passwords can be found uploaded to the unsecured server,\u201d <\/i><\/b><i>explained Lukas Stefanko.<\/i><\/p><\/blockquote>\n<h2>BadPatch Connection<\/h2>\n<p>ESET researchers came to the conclusion that the group behind the Welcome Chat app is connected to the so-called <a href=\"https:\/\/unit42.paloaltonetworks.com\/unit42-badpatch\/\">BadPatch<\/a> campaign in the Middle East.<\/p>\n<blockquote><p><b><i>\u201cThe Welcome Chat espionage app belongs to the very same Android malware family that we identified at the beginning of 2018. That malware used the same C&amp;C server, pal4u.net, as the espionage campaign targeting the Middle East that was identified in late 2017 by Palo Alto Networks and named BadPatch. In late 2019, <\/i><\/b><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/badpatch-campaign-uses-python-malware.html\"><b><i>Fortinet<\/i><\/b><\/a><b><i> described yet another espionage operation focused on Palestinian targets with the domain pal4u.net among its indicators of compromise,\u201d <\/i><\/b><i>the research reads.<\/i><\/p><\/blockquote>\n<h2>Conclusion<\/h2>\n<p>Even though Welcome Chat\u2019s spying activities are supposedly aimed at targets in the Middle East, anyone using the app still places himself in a dangerous position where his privacy is breached and his device\u2019s security is compromised.<\/p>\n<p>ESET researchers advice to only install apps from the official applications store and closely mind the permissions that each app requires.<\/p>\n<blockquote><p><b><i>\u201cIn this case, it is really hard to conclude this app is fishy for the user since it requests permissions that would be naturally requested by any other messaging app. My advice would be that if the user can\u2019t verify the legitimacy of the website or the app, I would suggest using a trustworthy security solution that is up-to-date before installing this app,\u201d<\/i><\/b><i> Stefanko concludes.<\/i><\/p><\/blockquote>\n<p><b>Follow us on <\/b><a href=\"https:\/\/twitter.com\/forklogmedia\"><b>Twitter<\/b><\/a><b> and <\/b><a href=\"https:\/\/www.facebook.com\/forklogmedia\"><b>Facebook<\/b><\/a><b> and join our <\/b><a href=\"https:\/\/t.me\/forklogmedia\"><b>Telegram channel<\/b><\/a><b> to know what\u2019s up with crypto and why it\u2019s important.<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers have discovered a new major privacy threat within a \u201clong-running cyber-espionage campaign\u201d in the Middle East. The new malicious agent is an Android messenger app Welcome Chat. The rogue app is believed to be linked to the Gaza Hackers group a.k.a Molerats.<\/p>\n","protected":false},"author":6,"featured_media":9284,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"human_written","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[976,100,573],"class_list":["post-9283","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-hacks","tag-malware","tag-privacy"],"aioseo_notices":[],"amp_enabled":true,"views":"1118","promo_type":"1","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/9283","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=9283"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/9283\/revisions"}],"predecessor-version":[{"id":9286,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/9283\/revisions\/9286"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/9284"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=9283"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=9283"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=9283"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}