McAfee warns of cyberattacks targeting World Cup fans; Google Play Store users earn a yellow card with malicious apps



McAfee, a device-to-cloud cybersecurity company, warns fans to be wary of malicious apps and phishing emails created specifically to target soccer supporters.

Fans have turned to their devices to stream games and stay informed about the fate of their teams advancing to the next rounds. Some fans have looked to the “Golden Cup” app to stream data and records from past and present games, not knowing that cybercriminals have also used the app to install spyware on devices of unsuspecting fans.

This threat campaign, called Android/FoulGoal.A, looks like a typical sporting app with general information and background around the games. However, in the background and without user consent, the app silently transfers information to cybercriminals, including victims’ phone numbers, installed apps, device model and manufacturer, and available internal storage capacity.

English soccer fans have enjoyed the team’s current run in the World Cup, as the tune “Three Lions” plays in their heads, while hoping to end 52 years of hurt. Meanwhile a recent spyware campaign distributed on Google Play has hurt fans of the beautiful game for some time. Using major events as social engineering is nothing new, as phishing emails have often taken advantage of disasters and sporting events to lure victims.

“Golden Cup” is the malicious app that installs spyware on victims’ devices. It was distributed via Google Play, and “offered” the opportunity to stream games and search for records from the current and past World Cups. McAfee Mobile Security identifies this threat as Android/FoulGoal.A; Google has removed the malicious applications from Google Play.

Once Golden Cup is installed it appears to be a typical sporting app, with multimedia content and general information about the event. Most of this data comes from a web service without malicious activity. However, in the background and without user consent the app silently transfers information to another server.

Golden Cup captures a considerable amount of encrypted data from the victim’s device including phone number, installed packages, device model, manufacturer, serial number, available internal storage capacity, and device ID. It also captures the Android version, apart from IMEI and IMSI. This spyware may be initial stage of a greater infection due to its capability to load dex files from remote sources. The app connects to its control server and tries to download, unzip, and decrypt a second stage.

The second phase of the attack leverages an encrypted dex file. The file has a .data extension and is downloaded and dynamically loaded by the first-stage malware; it is extracted with the same mechanism used to upload the encrypted files. The location of the decryption key can be identified from the size of the contents and a fixed number in the first-stage malware.

After decryption, McAfee can see out.dex in zipped format. The dex file has spy functions to steal SMS messages, contacts, multimedia files, and device location from infected devices. The control server in second stage is different from the first stage’s. The encryption methodology and the server folder structures on the remote server are identical to the first stage. The company also found one victim’s GPS location information and recorded audio files (.3gp) among the encrypted data on the control server.

McAfee has also discovered two other variants of this threat created by the same authors and published to Google Play as dating apps. Although all the apps have been removed from Google Play, the security company still sees indications of infections from its telemetry data, so it know that these apps are active on some users’ devices.

McAfee’s telemetry data indicates that although users around the world have downloaded the app, the majority of downloads took place in the Middle East, most likely as a result of a World Cup–themed Twitter post in Hebrew directing people to download the app for a breakdown of the latest events.

Although these apps have now been removed from the Google Play store, McAfee anticipates an increase in cyberattacks around major sporting events and warns fans to be cautious of suspicious links and apps.

Fans should keep these tips in mind to ensure devices and data are protected including going directly to the source to avoid phishing attempts and other cyberattacks. Always go directly to the provider’s site. If a link or email looks suspicious, avoid opening it. Free tickets and giveaways usually have a catch and are often too good to be true.

When streaming the games, make sure that only on dedicated, official channels are being viewed. Visit the official website to learn where they stream their games and streaming policies. Finally, if the user does find a stream for the game they’re looking for, look for the organization’s mark to make sure it’s legitimate. Avoid connecting to free Wi-Fi networks or Bluetooth-paired devices. It’s best to use a VPN service to ensure that the user has a connection that helps secure personal data.

 

Leave a Reply

WWPI – Covering the best in IT since 1980