Android smartphone owners have been warned about a popular messaging service, which markets itself on its ability on send “secure communications”, that researchers have discovered is quietly storing text messages, photos and more in a location freely available to access online – where it can be easily viewed or stolen by cyber criminals.
Clearly, this would be bad for any popular app. But one that specifically advertises itself on its ability to keep users’ messages, calls, videos and files safe from prying eyes could lead users to send content they wouldn’t otherwise trust within an app.
The app, known as Welcome Chat, managed to convince users to trust it with such an extraordinary amount of data because of its design as a messaging service. When users install Welcome Chat it requests permissions such as the ability to send and view SMS messages, access files, record audio, and access contacts and device location. That’s a lot. And such a terrifyingly comprehensive list of intrusive permissions might make people suspicious – but with a messaging app, these features are needed for the app to deliver the promised functionality.
And not only that, but Welcome Chat was also actively used by hackers as an espionage tool to keep tabs on users too. So, not only was your private messaging data stored in an unsecured location where it was up for grabs from snooping eyes – but your messages were monitored by the developers from the moment that you sign-up to the service.
According to research from cybersecurity firm ESET, the app is designed to contact the central server every five minutes with some snippets on your latest chats with friends, family and colleagues. And that’s on top of its ability to exfiltrate sent and received SMS messages, call log history, contact list, user photos, recorded phone calls, the GPS location of the device, and device info.
According to the research team from ESET, “The Welcome Chat espionage app seems to have targeted Arabic-speaking users: both the default website language and default in-app language are Arabic.
“However, based on debug logs left in the code, strings, class and unique variable names, we were able to determine that most of the malicious code was copied from publicly available open-source code projects and code example snippets available on public forums.”
Fortunately, Welcome Chat was never available in the Google Play Store. So, Android users only run the risk of exposing themselves to this nasty app when using third-party app stores online. Users often search in these online stores when looking for banned apps, older versions of software, or free versions of paid-for apps. Following a US trade ban, Huawei is no longer able to install the Google Play Store on its smartphones, leaving users to search for apps in online stores whenever it’s not found in the Huawei App Gallery – its Play Store alternative. Although malicious apps do manage to infiltrate the Play Store – this is pretty rare and much less likely than downloading an APK from a random web search.