The Golden Cup app offers free streaming and statistics from past and present FIFA world cups. The only problem is that it is spyware. It has been taken from Google Play.
It got past Google Play’s strict checking using a phased-approach. The app itself was not spyware but what it did to Android afterwards was.
Golden Cup was silently transferring information to cybercriminals, including victims phone numbers, installed apps, device model and manufacturer, available internal storage capacity, and more.
Don’t confuse this with legitimate apps like CONCACAF Gold Cup, Gold Cup 2017 and official FIFA World Cup apps. This was clearly a case of passing off.
This threat campaign, called Android/FoulGoal.A, looks like a typical sporting app with general information and background around the games.
Golden Cup has two payloads
First, in the background and without user consent, the app silently transfers information to cybercriminals, including
- Phone number
- Installed packages
- Device model, manufacturer, serial number
- Available internal storage capacity
- Device ID
- Android version
- IMEI, IMSI
Second, it has a spy function to steal SMS messages, contacts, multimedia files, and device location from infected devices.
- Collect device info
- Track location
- Contacts information upload
- Sent and received SMS messages upload
- Photos and images upload
- Video files upload
- Send recursive dirlist of the external storage
- Specific files upload
- Record audio using the microphone
- Record calls
- Use the camera to capture bursts of snapshots
Data is exfiltrated using encryption and sent to the Command and Control Server.
But the Golden Cup style of app does not stop there
McAfee has found two other variants created by the same authors published to Google Play as dating apps. They have been taken off Google Play, but it still sees indications of infections from telemetry data.
Download telemetry data shows global spread. But most downloads took place in the Middle East. This was most likely because of a World Cup-themed Twitter campaign in Hebrew. It told people to download the app for a breakdown of the latest events.
Ian Yip, McAfee CTO APAC expects an increase in cyber attacks relating to major sporting events. He warns fans to be cautious of suspicious links and apps. Be especially aware of dodgy app recommendations in social media.
Fans need to ensure devices and data protection.
- Google Play is usually safe. It is getting better at identifying these ‘progressive download’ spyware apps. Never use a third-party app store.
- Never click on a link in an email or social media recommending an app. Always go directly to Google Play. Free tickets and giveaways usually have a catch and are often too good to be true.
- Look at requested permissions when you install it.
- Watch with caution. If you want to stream watch only on dedicated, official channels (even if you have to pay). If you do find a free stream look for the organisation’s mark to make sure it’s legitimate.
- Be smart when you connect. It’s best to use a VPN service to ensure you have a connection that helps secure your data.
GadgetGuy’s take. Come in spinner. Golden Cup is just one of many fake apps
It is a shame it got through Google Play’s checking.
The Bad Guys get smarter, and in turn, Google Play gets wiser. It is a game of cat and mouse.