A new strain of Android spyware has been identified that specifically targets security professionals in Saudi Arabia seeking jobs within the government and military. The malware infects victims' devices and goes about stealing personal information. Security researchers are yet to attribute the malware attacks to any specific threat groups. However, given the malware's targets, the attacks may be designed to function as a cyberespionage campaign.
Researchers at Intel Security's Mobile Research branch identified the Android spyware, dubbed Android/ChatSpy. The firm noted that the malware was being distributed to people who visited a job search portal, seeking positions within the Saudi Arabian military and/or security field. The malware was introduced onto visitors' devices as a private chat application, which when downloaded went ahead to gather personal information, including users' contact lists, SMS messages, voice calls, call history, browser history and device information.
Intel Security researcher Yukihiro Okutomi said in a blog: "We have identified a campaign that is working in tandem with a job site that offers work for security personal in government or military jobs. The motives behind the spyware author are not clear, but considering the jobs that were being advertised on the site, the implications should not be underestimated. The leaked information poses a serious security threat."
Researchers noted that the app had no functional chat interface and upon installation would hide its icon, begin gathering the victim's data and go ahead to register the victim with a C&C (command and control) server which runs a MySQL database. Once the spyware had collected personal data, it would then transfer it to the server. Alarmingly enough, the malware is also capable of forwarding the victims' phone calls to another designated number.
Security researchers also highlighted that despite the malware's effectiveness, its "code is of poor quality". The blatant use of "Spy" in naming the malware as well as using open source tools to collect data, indicate that "the spyware must have been developed in a rush job by a 'script kiddie'."