The Great Game of Mobile Malware

In the 19th Century, a tense war of espionage was taking place between the formidable Russian and British empires. Out of extreme rivalry, it saw those on either side going to great lengths to scout out new lands and protect those it had already gained. It was an era that came to be known as ‘The Great Game’.

In 2018, Russia was again playing host to ‘The Great Game’ in this year’s World Cup. Although Russia and England did not end up playing each other, a different kind of game was, however, taking place off the pitch in other parts of the world. For when the first whistle of the 2018 World Cup blew, it didn’t just begin an exciting battle of world domination for football fans, but also provided an opportunity for cyber spies to exploit this much anticipated event for their own malicious goals.

After an announcement by the Israel Defence Forces that the Hamas terrorist organization had installed spyware on Israeli soldiers’ smartphones, Check Point researchers analysed the malicious app which clandestinely hid a Mobile Remote Trojan Application (MRAT) inside a match scheduler that was promoted via Facebook as a way for fans to keep up to date with this year’s World Cup matches. 

Known as ‘Golden Cup’, the sophisticated app was able to bypass the extensive safeguards of Google Play, Google’s official play store, by hiding code inside what looked like a benign match schedule app. Once downloaded, however, the app then began communicating with the attacker’s command and control server to receive the second stage of the attack which infected the victim’s device with highly invasive malware. This malware was able to carry out the below actions:

• Record the user’s phone calls.
• Take a picture when the user received a call.
• Steal the user’s contacts.
• Steal the user’s SMS messages.
• Steal all images and videos stored on the mobile device and information on where they were taken. 
• Capture the user’s GPS location.
• Take random recordings of the user’s surroundings.
• Steal all files from the mobile device’s storage.

A Diagram of the Operation Flow of the malicious 'Golden Cup' mobile app:

Trends of Mobile Espionage

Recent cyber espionage campaigns seem to focus directly on the Middle East, Korea and China and this latest attack is yet another indicator of how spy tactics are evolving and continue the trend towards mobile. Furthermore, whether these threats come from nation-state actors or cyber-crime gangs, they often use sophisticated attack techniques to bypass traditional controls in order to reach their victims.

Regardless of where these campaigns are targeted, though, they serve as a reminder as to how much we rely on our phones as our main tool of communication and how much personal, as well as work related, information they contain. It certainly provides food for thought as to the measures government agencies, armed forces and enterprise corporations alike should be aware of the threats to their staff and network as a whole.

With consumers and company employees often using their mobile devices as the preferred method of accessing the internet, corporate resources, or storing private information, what gets downloaded onto these mobile devices should very much be a priority, for both them and their organization. Furthermore, although third party app stores do all they can to block malicious apps from being uploaded, sophisticated attacks such as this will always find a devious way of bypassing them, making on device protection even more necessary.

In the case of ‘Golden Cup’, Google diligently gave this app the red card and removed it from Google Play before it could spread and infect others. However, whether it is ‘The Great Game’ or ‘The Beautiful Game’, it is only a matter of time before the attackers challenge it, and mobile users everywhere, to a rematch.

For full analysis of this malware, visit Check Point Research.