GolfSpy

Nowadays, mobile phones may often end up storing more critical information than computers so that it is not a surprise that many cybercriminals are exploring the prospect of creating Android-compatible malware. Such is the case with GolfSpy, a new malware strain that has been active in the Middle East – it targets Android devices exclusively. Currently, the number of confirmed infections is rather low so that it is possible that the GolfSpy malware might be used against carefully selected targets.

Security researchers noticed some similarities between the strings and functions used in Domestic Kitten and GolfSpy, which might mean that the same group of criminals might be behind both of these campaigns.

GolfSpy is likely to be used for espionage since its primary features are meant to exfiltrate data from the infected device. The complete list of features is impressive, and the remote attacker might be able to gain access to just about any data found on the infected Android device:

• Saved device accounts.
• List of installed applications.
• Currently running processes.
• Battery health & charge.
• Browser history and bookmarks.
• Full contact information and call logs.
• Memory card files.
• Images, audio, and video found on the device's memory.
• Text messages.

Researchers were able to intercept the Command & Control server that the attackers also use to exfiltrate collected data to. The information found there was rather concerning – it would appear that a large portion of the collected information is related to military personnel.

Surprisingly, the threatening applications that hide the GolfSpy are not hosted on the Google Play Store or similar services – instead, the senders have opted to propagate them via bogus social media posts and messages. With just around 660 victims so far, GolfSpy's campaign is small in terms of scale certainly, but we may see more activity from the criminals soon.