skip to Main Content

Cyber Espionage, Bouncing Golf is targeting Middle Eastern countries

Trend Micro: The Bouncing Golf cyber espionage campaign is hitting Middle Eastern countries. So far observed more than 660 Android devices infected with GolfSpy. Much of the information being stolen appear to be military-related

It’s dubbed Buncing Golf and it’s a cyber espionage campaign targeting Middle Eastern countries. It has been discovered by Trend Micro cyber security experts, who named it based on the malware’s code in the package named “golf.” The malicious code involved, detected as  AndroidOS_GolfSpy.HRX, is notable for its wide range of cyber espionage capabilities. Those codes are embedded in apps that the operators repackaged from legitimate applications. Monitoring the command and control (C&C) servers used by Bouncing Golf, the researchers so far observed more than 660 Android devices infected with GolfSpy. Much of the information being stolen appear to be military-related. Also the campaign’s attack vector is interesting. These repackaged, malware-laden apps are neither on Google Play nor popular third-party app marketplaces. The website hosting the malicious apps is being promoted on social media.

The cyber security experts: There is a possible connection between the malware mobile cyber espionage campaign and a previously one: Domestic Kitten

According to the cyber security experts, there is a possible connection between Bouncing Golf and a previously reported mobile cyber espionage campaign, that researchers named Domestic Kitten. The strings of code, for one, are similarly structured. The data targeted for theft also have similar formats. This malware can effectively hijack an infected Android device. The small or limited number is understandable given the nature of this campaign, but Trend Micro expects it to increase or even diversify in terms of distribution. Most of the affected devices were located in the Middle East, and many of the stolen data we saw is military-related. Bouncing Golf’s operators also try to cover their tracks. The registrant contact details of the C&C domains used in the campaign were masked. The C&C server IP addresses used also appear to be disparate, located in many European countries like Russia, France, Holland, and Germany.

Here are the capabilities of the GolfSpy malware 

Here is a list of information that GolfSpy steals: Device accounts, List of applications installed in the device, Device’s current running processes, Battery status, Bookmarks/Histories of the device’s default browser, Call logs and records, Clipboard contents, Contacts, including those in VCard format, Mobile operator information, Files stored on SDcard, Device location; List of image, audio, and video files stored on the device, Storage and memory information, Connection information, Sensor information, SMS messages and Pictures. GolfSpy also has a function that lets it connect to a remote server to fetch and perform commands, including: searching for, listing, deleting, and renaming files as well as downloading a file into and retrieving a file from the device; taking screenshots; installing other application packages (APK); recording audio and video; and updating the malware.

Back To Top