Saudi security researchers applying for security jobs with the Saudi government and military were unwittingly installing spyware on their Android devices.

Intel Security's Mobile Research division came across a job portal in Saudi Arabia that was distributing a private chat application for Android devices via its website.

Users that visited the ksa-sef[.]com portal looking for security job offers with the Saudi government and military, and wanted to install the app, would be infected with the Android/ChatSpy spyware.

Android/ChatSpy would steal private information from infected devices

This malware had no functional chat interface, would immediately hide its icon after the installation ended, start collecting data about the device and then would register the victim with a C&C (command and control) server.

After a short while, Android/SpyChat would also begin transferring stolen data to the server, including details such as the user's contacts list, his SMS archive, his browser history, call logs, and basic device hardware info. Additionally, if needed, the spyware would also be able to forward the victim's phone calls to a desired phone number.

Intel researchers say that the threat actor behind this campaign hosted the C&C infrastructure on the same server as the job portal, which they reported to Saudi Arabia's CERT team.

No attribution for the attempted espionage campaign

Taking into account the highly sensitive information a security professional would handle on a daily basis in the Saudi government and military, this is undoubtedly a cyber-espionage campaign.

Intel's staff did not attempt to provide attribution for the attacks to any particular nation state, but in the past, Iran has been accused of similar campaigns against Saudi Arabia, such as in an operation known as OilRig.

Below is a quote from Intel Security's Yukihiro Okutomi, who sums up the malware in a way we could never do it justice.

“ Although the spyware works cleanly and quietly, the application code is of poor quality. The spyware has “spy” in the package name, and the hardcoded SMS message to the attacker has “victim” in plain text. The spyware uses an open-source “call-recorder-for-android,” found on GitHub, to implement the voice-call recording function. With such sloppy coding, the spyware must have been developed in a rush job by a “script kiddie.” ”