Android-based espionage campaign in the Middle East targets military data

Malware analyzed by Trend Micro sucks up a target phone’s call logs and records.
Android mobile phone, Samsung Galaxy S10, Google Play Store
(Kārlis Dambrāns / Flickr)

A newly uncovered espionage campaign in the Middle East has infected more than 660 Android phones, and much of the stolen data appears to be “military-related,” researchers from cybersecurity company Trend Micro said Tuesday.

The malware in question is highly invasive, posing as popular news and lifestyle apps to suck up a target phone’s call logs and records, text messages, and storage and memory details, among other data. Attackers aren’t using the Google Play store, a sometimes popular receptacle for malicious apps. Instead, the host website for the malware is being promoted via social media channels, according to Trend Micro. One feature of the malware even allows the operator to take a photo from an infected phone when the device’s owner “wakes” it in locked mode.

Analysts did not pin the so-called “Bouncing Golf” spying operation, which is ongoing, on any group or person, but said the structure of the code used and the data targeted share similarities with a spying campaign reported last year by cybersecurity company Check Point. The prime suspect in that campaign was the Iranian government, Check Point said.

Whoever they are, the operators of the newly documented malware have looked to mask their origins. The contact information they used to register their malware-distributing domains is hidden, Trend Micro said. The IP addresses of their command-and-control server span France, Germany, Russia and other countries.


The researchers did not elaborate on the “military-related” data that was pilfered, other than to say it included images and documents. The limited scope of infected Android phones isn’t surprising given this is a spying operation, “but we also expect it to increase or even diversify in terms of distribution,” the researchers wrote in a blog post.

“[W]e expect more cyber-espionage campaigns targeting the mobile platform given its ubiquity, employing tried-and-tested techniques to lure unwitting users,” they added.

Google has sought to crack down on the abuse of Android apps by sanitizing the Google Play store, and by restricting the use of text and call log permissions in apps. But hackers have kept up their innovation in response.

Researchers at cybersecurity company ESET said Monday they had found malicious Android apps capable of getting around Google’s restrictions to steal passwords.

In the case of the Bouncing Golf espionage campaign, some of the malicious apps have names that are similar to legitimate apps in the Google Play store – a possible attempt to make them seem legitimate, Trend Micro researchers told CyberScoop.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts