Attackers targeting World Cup fans with 'Golden Cup' Android app loaded with spyware

"Cyber terrorists" behind a campaign targeting Israeli soldiers have shifted their focus to civilians by exploiting the 2018 World Cup

The football from the 2018 FIFA World Cup hosted in Russia

Researchers have uncovered an emerging cyber threat targeting Android device-owning football supporters just as the 2018 FIFA World Cup reaches its climax.

Believed to be part wider spyware campaign targeting members of the Israeli Defence Force (IDF) dating back to the start of 2018, ClearSky security researchers have discovered a variant aimed at targeting football supporters manifesting as an application named 'Golden Cup'.

Advertisement - Article continues below

Days after the IDF publshed a report blaming "Hamas cyber terrorists" for orchestrating a spyware campaign that lured Israeli soldiers into downloading malicious applications, security researchers have found further samples, manifesting principally as 'Golden Cup', now targeting civilians.

The original spyware campaign initially involved fake Facebook profiles asking IDF soldiers, as part of a seduction process, to download the malicious apps named 'GlanceLove' and 'WinkChat' to continue socialising.

Researchers at Symantec noted that given the original approach was "not a great success", the hacker's latest attempt involved a hurriedly created malicious World Cup app to offer users live scores and fixtures and distribute it to Israeli citizens as well as military personnel.

"We assume it was rushed because, unlike GlanceLove, it lacked any real obfuscation," its researchers Roy Iarchy and Eyal Rynkowski wrote on the cyber security company's official blog.

Advertisement - Article continues below

"Even the C&C [command-and-control] server side was mostly exposed with the file listing available for everyone to traverse through it. It contained approximately 8GB of stolen data."

GoldenCup is a fairly innocent-looking app in that its code is aimed at executing the app's touted functionality as a scores hub, while also being geared towards collecting identifiers and some data from the host device.

Advertisement - Article continues below

Thorugh the use of a phased approach GoldenCup exploits its fairly innocuous design to get past Google's security processes and get listed on the Google Play Store. 

After receiving a command from the C&C - communicating using a Message Queuing Telemetry Transport (MQTT) protocol - the app downloads a malicious .dex file that adds additional malicious capabilities. Using this delivery method, its developers can submit a seemingly-legitimate application to the Play Store, adding any malicious elements thereafter.

The first phase involves collecting device information, as well as a list of apps already installed on the device, before the app processes an "install app" command that downloads an encrypted zip file containing a second .dex file.

From this point, the spyware's functions span from collecting more information about the devices to recording phone calls. The attackers can track location, upload images and video files, upload contacts information, upload SMS message history, record audio using the microphone, and use the camera to capture bursts of snapshots.

Advertisement - Article continues below

These can either be run periodically or upon receiving a command from the C&C server.

"We were unable to find technical similarities or infrastructure overlap with a known threat actor," Clear Sky's research team said.

"However, we assess with medium certainty that the threat actor behind this campaign is Arid Viper based on the targeting of Israeli soldiers, type and character of fake personas on Facebook, and previous Arid Viper activity."

The emergence of a World Cup-related cyber threat is in keeping with malicious actors' tendencies to exploit contemporary or widely-talked about events in the public domain.

Researchers at Kaspersky, for instance, detected a rise in phishing attacks tied to the World Cup in the weeks leading up to the event, alongside a general rise in the number of football-related spam - detailing a series of observations including fake lottery win notifications, and emails from attackers impersonating tournament sponsors.

Norton Antivirus, meanwhile, Symantec's parent company, highlighted one example of a fake win phishing email, informing users they have won $1.8 million "In Russia 2018 World Cup Draw", that reached 26,000 users in its first seven days.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



Evasive malware threats doubled in 2019

24 Mar 2020

10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020

Best free malware removal tools 2019

2 Mar 2020

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020

Hackers target Three customers with "sophisticated" phishing scam

26 Mar 2020