‘Secure’ Chat App Spies on Users

A chat app that claims to be secure has been found to be an instrumental part of a long-running cyber-espionage campaign believed to be based in the Middle East.

Researchers at ESET said claims that Android app Welcome Chat and the website promoting and distributing the app are both secure “couldn't be further from the truth.”

While functioning as a communication app, Welcome Chat was found to simultaneously be serving as spyware, harvesting data for a campaign with links to threat group Gaza Hacker, also known as Molerats. 

“In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet,” said Lukáš Štefanko, the ESET researcher who conducted the analysis of Welcome Chat.

Researchers found that the app does not encrypt the data it transmits, leaving users vulnerable to exposure. 

“Unfortunately for the victims, the Welcome Chat app, including its infrastructure, was not built with security in mind," said Štefanko. 

“Transmitted data is not encrypted, and because of that, not only is it freely accessible to the attacker, but also to anyone on the same network.”

While posing as a secure and legitimate app, Welcome Chat was never available on the official Android app store. However, the app behaves like any other chat app downloaded from outside Google Play, requiring the setting “Allow installing apps from unknown sources” to be activated.

After installation, the app requests permission to send and view SMS messages, access files, and record audio, as well as requests access to contacts and device location. As soon as permissions are received, Welcome Chat starts receiving commands from its command and control (C&C) server, and it uploads any harvested information. 

In addition to stealing chat messages, the app leaks sent and received SMS messages, call history, contact list, photos, phone call recordings, and the device’s GPS location.

ESET researchers tried to establish whether Welcome Chat is an attacker-Trojanized version of a clean app, or a malicious app developed from scratch. 

“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability, but our best guess is that no such app exists,” said Štefanko.

What’s Hot on Infosecurity Magazine?