Attackers targeting World Cup fans with 'Golden Cup' Android app loaded with spyware

"Cyber terrorists" behind a campaign targeting Israeli soldiers have shifted their focus to civilians by exploiting the 2018 World Cup

The football from the 2018 FIFA World Cup hosted in Russia

Researchers have uncovered an emerging cyber threat targeting Android device-owning football supporters just as the 2018 FIFA World Cup reaches its climax.

Believed to be part wider spyware campaign targeting members of the Israeli Defence Force (IDF) dating back to the start of 2018, ClearSky security researchers have discovered a variant aimed at targeting football supporters manifesting as an application named 'Golden Cup'.

Days after the IDF publshed a report blaming "Hamas cyber terrorists" for orchestrating a spyware campaign that lured Israeli soldiers into downloading malicious applications, security researchers have found further samples, manifesting principally as 'Golden Cup', now targeting civilians.

The original spyware campaign initially involved fake Facebook profiles asking IDF soldiers, as part of a seduction process, to download the malicious apps named 'GlanceLove' and 'WinkChat' to continue socialising.

Advertisement - Article continues below
Advertisement - Article continues below

Researchers at Symantec noted that given the original approach was "not a great success", the hacker's latest attempt involved a hurriedly created malicious World Cup app to offer users live scores and fixtures and distribute it to Israeli citizens as well as military personnel.

"We assume it was rushed because, unlike GlanceLove, it lacked any real obfuscation," its researchers Roy Iarchy and Eyal Rynkowski wrote on the cyber security company's official blog.

"Even the C&C [command-and-control] server side was mostly exposed with the file listing available for everyone to traverse through it. It contained approximately 8GB of stolen data."

GoldenCup is a fairly innocent-looking app in that its code is aimed at executing the app's touted functionality as a scores hub, while also being geared towards collecting identifiers and some data from the host device.

Thorugh the use of a phased approach GoldenCup exploits its fairly innocuous design to get past Google's security processes and get listed on the Google Play Store. 

After receiving a command from the C&C - communicating using a Message Queuing Telemetry Transport (MQTT) protocol - the app downloads a malicious .dex file that adds additional malicious capabilities. Using this delivery method, its developers can submit a seemingly-legitimate application to the Play Store, adding any malicious elements thereafter.

Advertisement - Article continues below

The first phase involves collecting device information, as well as a list of apps already installed on the device, before the app processes an "install app" command that downloads an encrypted zip file containing a second .dex file.

From this point, the spyware's functions span from collecting more information about the devices to recording phone calls. The attackers can track location, upload images and video files, upload contacts information, upload SMS message history, record audio using the microphone, and use the camera to capture bursts of snapshots.

These can either be run periodically or upon receiving a command from the C&C server.

"We were unable to find technical similarities or infrastructure overlap with a known threat actor," Clear Sky's research team said.

Advertisement - Article continues below

"However, we assess with medium certainty that the threat actor behind this campaign is Arid Viper based on the targeting of Israeli soldiers, type and character of fake personas on Facebook, and previous Arid Viper activity."

The emergence of a World Cup-related cyber threat is in keeping with malicious actors' tendencies to exploit contemporary or widely-talked about events in the public domain.

Advertisement - Article continues below

Researchers at Kaspersky, for instance, detected a rise in phishing attacks tied to the World Cup in the weeks leading up to the event, alongside a general rise in the number of football-related spam - detailing a series of observations including fake lottery win notifications, and emails from attackers impersonating tournament sponsors.

Norton Antivirus, meanwhile, Symantec's parent company, highlighted one example of a fake win phishing email, informing users they have won $1.8 million "In Russia 2018 World Cup Draw", that reached 26,000 users in its first seven days.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020

Windows 10 and the tools for agile working

20 Jan 2020
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020