Attackers targeting World Cup fans with 'Golden Cup' Android app loaded with spyware

"Cyber terrorists" behind a campaign targeting Israeli soldiers have shifted their focus to civilians by exploiting the 2018 World Cup

The football from the 2018 FIFA World Cup hosted in Russia

Researchers have uncovered an emerging cyber threat targeting Android device-owning football supporters just as the 2018 FIFA World Cup reaches its climax.

Believed to be part wider spyware campaign targeting members of the Israeli Defence Force (IDF) dating back to the start of 2018, ClearSky security researchers have discovered a variant aimed at targeting football supporters manifesting as an application named 'Golden Cup'.

Days after the IDF publshed a report blaming "Hamas cyber terrorists" for orchestrating a spyware campaign that lured Israeli soldiers into downloading malicious applications, security researchers have found further samples, manifesting principally as 'Golden Cup', now targeting civilians.

The original spyware campaign initially involved fake Facebook profiles asking IDF soldiers, as part of a seduction process, to download the malicious apps named 'GlanceLove' and 'WinkChat' to continue socialising.

Researchers at Symantec noted that given the original approach was "not a great success", the hacker's latest attempt involved a hurriedly created malicious World Cup app to offer users live scores and fixtures and distribute it to Israeli citizens as well as military personnel.

"We assume it was rushed because, unlike GlanceLove, it lacked any real obfuscation," its researchers Roy Iarchy and Eyal Rynkowski wrote on the cyber security company's official blog.

"Even the C&C [command-and-control] server side was mostly exposed with the file listing available for everyone to traverse through it. It contained approximately 8GB of stolen data."

GoldenCup is a fairly innocent-looking app in that its code is aimed at executing the app's touted functionality as a scores hub, while also being geared towards collecting identifiers and some data from the host device.

Thorugh the use of a phased approach GoldenCup exploits its fairly innocuous design to get past Google's security processes and get listed on the Google Play Store. 

After receiving a command from the C&C - communicating using a Message Queuing Telemetry Transport (MQTT) protocol - the app downloads a malicious .dex file that adds additional malicious capabilities. Using this delivery method, its developers can submit a seemingly-legitimate application to the Play Store, adding any malicious elements thereafter.

The first phase involves collecting device information, as well as a list of apps already installed on the device, before the app processes an "install app" command that downloads an encrypted zip file containing a second .dex file.

From this point, the spyware's functions span from collecting more information about the devices to recording phone calls. The attackers can track location, upload images and video files, upload contacts information, upload SMS message history, record audio using the microphone, and use the camera to capture bursts of snapshots.

These can either be run periodically or upon receiving a command from the C&C server.

"We were unable to find technical similarities or infrastructure overlap with a known threat actor," Clear Sky's research team said.

"However, we assess with medium certainty that the threat actor behind this campaign is Arid Viper based on the targeting of Israeli soldiers, type and character of fake personas on Facebook, and previous Arid Viper activity."

The emergence of a World Cup-related cyber threat is in keeping with malicious actors' tendencies to exploit contemporary or widely-talked about events in the public domain.

Researchers at Kaspersky, for instance, detected a rise in phishing attacks tied to the World Cup in the weeks leading up to the event, alongside a general rise in the number of football-related spam - detailing a series of observations including fake lottery win notifications, and emails from attackers impersonating tournament sponsors.

Norton Antivirus, meanwhile, Symantec's parent company, highlighted one example of a fake win phishing email, informing users they have won $1.8 million "In Russia 2018 World Cup Draw", that reached 26,000 users in its first seven days.

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021
CISA warns of ongoing Accellion File Transfer Appliance attacks
hacking

CISA warns of ongoing Accellion File Transfer Appliance attacks

25 Feb 2021
What is a Trojan?
Security

What is a Trojan?

25 Feb 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

26 Feb 2021