Attackers targeting World Cup fans with 'Golden Cup' Android app loaded with spyware

"Cyber terrorists" behind a campaign targeting Israeli soldiers have shifted their focus to civilians by exploiting the 2018 World Cup

The football from the 2018 FIFA World Cup hosted in Russia

Researchers have uncovered an emerging cyber threat targeting Android device-owning football supporters just as the 2018 FIFA World Cup reaches its climax.

Believed to be part wider spyware campaign targeting members of the Israeli Defence Force (IDF) dating back to the start of 2018, ClearSky security researchers have discovered a variant aimed at targeting football supporters manifesting as an application named 'Golden Cup'.

Days after the IDF publshed a report blaming "Hamas cyber terrorists" for orchestrating a spyware campaign that lured Israeli soldiers into downloading malicious applications, security researchers have found further samples, manifesting principally as 'Golden Cup', now targeting civilians.

The original spyware campaign initially involved fake Facebook profiles asking IDF soldiers, as part of a seduction process, to download the malicious apps named 'GlanceLove' and 'WinkChat' to continue socialising.

Researchers at Symantec noted that given the original approach was "not a great success", the hacker's latest attempt involved a hurriedly created malicious World Cup app to offer users live scores and fixtures and distribute it to Israeli citizens as well as military personnel.

"We assume it was rushed because, unlike GlanceLove, it lacked any real obfuscation," its researchers Roy Iarchy and Eyal Rynkowski wrote on the cyber security company's official blog.

"Even the C&C [command-and-control] server side was mostly exposed with the file listing available for everyone to traverse through it. It contained approximately 8GB of stolen data."

GoldenCup is a fairly innocent-looking app in that its code is aimed at executing the app's touted functionality as a scores hub, while also being geared towards collecting identifiers and some data from the host device.

Thorugh the use of a phased approach GoldenCup exploits its fairly innocuous design to get past Google's security processes and get listed on the Google Play Store. 

After receiving a command from the C&C - communicating using a Message Queuing Telemetry Transport (MQTT) protocol - the app downloads a malicious .dex file that adds additional malicious capabilities. Using this delivery method, its developers can submit a seemingly-legitimate application to the Play Store, adding any malicious elements thereafter.

The first phase involves collecting device information, as well as a list of apps already installed on the device, before the app processes an "install app" command that downloads an encrypted zip file containing a second .dex file.

From this point, the spyware's functions span from collecting more information about the devices to recording phone calls. The attackers can track location, upload images and video files, upload contacts information, upload SMS message history, record audio using the microphone, and use the camera to capture bursts of snapshots.

These can either be run periodically or upon receiving a command from the C&C server.

"We were unable to find technical similarities or infrastructure overlap with a known threat actor," Clear Sky's research team said.

"However, we assess with medium certainty that the threat actor behind this campaign is Arid Viper based on the targeting of Israeli soldiers, type and character of fake personas on Facebook, and previous Arid Viper activity."

The emergence of a World Cup-related cyber threat is in keeping with malicious actors' tendencies to exploit contemporary or widely-talked about events in the public domain.

Researchers at Kaspersky, for instance, detected a rise in phishing attacks tied to the World Cup in the weeks leading up to the event, alongside a general rise in the number of football-related spam - detailing a series of observations including fake lottery win notifications, and emails from attackers impersonating tournament sponsors.

Norton Antivirus, meanwhile, Symantec's parent company, highlighted one example of a fake win phishing email, informing users they have won $1.8 million "In Russia 2018 World Cup Draw", that reached 26,000 users in its first seven days.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
Bahrain targets activists with NSO's Pegasus spyware
spyware

Bahrain targets activists with NSO's Pegasus spyware

24 Aug 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021