Messenger App Steals User Data and Hacks Their Devices, ESET Research 

News and Analysis

ESET researchers have discovered a new major privacy threat within a “long-running cyber-espionage campaign” in the Middle East. The new malicious agent is an Android messenger app Welcome Chat. The rogue app is believed to be linked to the Gaza Hackers group a.k.a Molerats.

Hackers Spy on Vulnerable Demographics

Chat apps are banned or restricted in some Middle Eastern countries and so locals are often forced to download dubious messenger software from unofficial sources. This places malicious agents in a unique position where they can prey upon certain vulnerable demographics. The fact that Welcome Chat is specifically marketed to the Arabic audience is immediately obvious just from the app’s website design.

Welcome Chat app’s Website

Welcome Chat app’s Website. Source: Welivesecurity

According to the research, Welcome Chat is indeed a functioning messenger mostly used in Palestine, which also happens to spy on its users.

On installation the app requests the user to grant several key permissions, including sending and viewing SMS messages, accessing files, recording audio, and accessing contacts and device location. Messaging apps often do require most of those permissions, hence even a suspicious user can let this one slip. Researchers believe that gaining access to these tools hackers can establish tight surveillance over a specific target:

“Based on the functionality, hackers might use it to spy on users’ activity. This Welcome Chat app might be used in targeted espionage to make targeted individuals install it and even communicate via it,” says Lukas Stefanko, Malware Researcher at ESET.

The app is designed to send data and receive commands to/from the C&C server every five minutes. Other than its main purpose—monitoring private messaging of its users—the app is capable of several other malicious actions:

“This malware allows the attacker to extract sent and received SMS messages, get call log history, obtain contact list, user photos, can record user’s phone calls, GPS location of the device, and exchanged chat messages from this Welcome Chat app,” noted Lukas Stefanko.

Born That Way

Hackers often do not bother with developing a working product just to slap malware on top of it. Usually, they adopt a clean app and “trojanize” it. But in this case, researchers believe that the app was built by hackers from scratch.

“There is a major question mark with this option: to this day, we have not been able to discover any clean version of the Welcome Chat app,” the report reads.“This leads us to believe that the attackers developed the malicious chat app on their own. Creating a chat app for Android is not difficult; there are many detailed tutorials on the internet. With this approach, the attackers have better control over the compatibility of the app’s malicious functionality with its legitimate functions, so they can ensure that the chat app will work.”

Data Leaks in Real-Time

All private data gathered by the Welcome Chat app is available not only to the hackers but to every user on the network. This was made possible because the app uploads all stolen data to the attacker’s server via unsecured HTTP and does not use encryption to protect the transmission.

“The database contains data such as name, email, phone number, device token, profile picture, messages, and friends list–in fact, all the users’ data except for the account passwords can be found uploaded to the unsecured server,” explained Lukas Stefanko.

BadPatch Connection

ESET researchers came to the conclusion that the group behind the Welcome Chat app is connected to the so-called BadPatch campaign in the Middle East.

“The Welcome Chat espionage app belongs to the very same Android malware family that we identified at the beginning of 2018. That malware used the same C&C server,, as the espionage campaign targeting the Middle East that was identified in late 2017 by Palo Alto Networks and named BadPatch. In late 2019, Fortinet described yet another espionage operation focused on Palestinian targets with the domain among its indicators of compromise,” the research reads.


Even though Welcome Chat’s spying activities are supposedly aimed at targets in the Middle East, anyone using the app still places himself in a dangerous position where his privacy is breached and his device’s security is compromised.

ESET researchers advice to only install apps from the official applications store and closely mind the permissions that each app requires.

“In this case, it is really hard to conclude this app is fishy for the user since it requests permissions that would be naturally requested by any other messaging app. My advice would be that if the user can’t verify the legitimacy of the website or the app, I would suggest using a trustworthy security solution that is up-to-date before installing this app,” Stefanko concludes.

Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.

Found a typo? Highlight text and press CTRL+ENTER

Subscribe to our Newsletter


Related posts

Tags: , ,