fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Android chat app uses public code to spy, exposes user data

Android chat app uses public code to spy, exposes user data

Android chat app uses public code to spy, exposes user data
Android chat app uses public code to spy, exposes user data

A chat application for Android claiming to be a secure messaging platform comes with spying functionality and stores user data in an unsecured location that is publicly available.

Welcome Chat targets users from a specific region of the world and relies on open source code for recording calls, stealing text messages, and tracking.

Normal chat app permissions

The developers of Welcome Chat promoted it as a secure communication solution that is available from the Google Play store. Its intended audience are Arabic-speaking users. It’s important to note that some countries in the Middle East ban this type of apps.

Researchers at cybersecurity company ESET found that the app delivers more than the advertised chat functions and it was never part of the official Android store.

Apps outside Play Store require users to allow installation from unknown sources, which happens in the case of Welcome Chat.

If users fail to heed this red flag, the app asks for permission to send and view SMS messages, access files, record audio, and access contacts and device location. These permissions are normal for a chat app.

Open source code for spying

nce it gets the consent from the user, Welcome Chat starts sending out information about the device and contacts its command and control (C2) server every five minutes for commands.

The researchers say that monitoring the communication with other Welcome Chat users is at the core of this malicious app, which is complemented by the following malicious actions:

  • exfiltrate sent and received text messages
  • steal call history log
  • steal the victim’s contact list
  • steal user photos
  • exfiltrate recorded phone calls
  • send the GPS location of the device along with system info

The researchers discovered that much of the code used for spying comes from public sources, either from open-source projects or code snippets published as examples on various forums.

Whoever developed Welcome Chat did not spend much effort on it. They likely looked online for the desired espionage functionality and took the code from the first results.

This conclusion is supported by the age of the code for certain capabilities, which in some cases has been publicly available for at least five years. The call recording and geo-tracking functions, for instance, are eight years old.

A low-skilled attacker is also suggested by the fact that the app and its infrastructure lack basic security like encrypting the data in transit. The connection to the download website is also insecure.

Also read: Cost of GDPR Compliance for Singapore Companies

User data freely accessible

“Transmitted data is not encrypted and because of that, not only it is available to the attacker, it is freely accessible to anyone on the same network,” says ESET Android malware researcher Lukas Stefanko in a blog post today.

Included in the app’s database on the server is everything but the user account password; names, email addresses, phone numbers, device tokens, profile pictures, messages, and friends list.

Initially, the researchers believed that Welcome Chat is a legitimate app that had been trojanized and tried to warn the developers. They found a clean variant only on VirusTotal. It was uploaded in mid-February, a week after the malicious version was submitted to the scanning platform

This lead to the conclusion that the app was intended for spying from the beginning and that a benign variant from a legitimate developer does not exist.

Although there is no strong evidence, Welcome Chat may be the work of the same group behind BadPatch an espionage campaign identified in 2017 that targeted users in the Middle East.

The connection between the two is the C2 server (pal4u[.]net), used in both campaigns. The same C2 served another cyberespionage operation discovered by Fortinet in 2019, targeting Palestinian users.

Also read: How to Register Data Protection Officer (DPO) in ACRA Bizfile+

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us