{ "id": "0a649b59-fd7c-40a5-b0f8-ff7bfb976df1", "created_at": "2026-04-06T00:19:52.883913Z", "updated_at": "2026-04-10T03:38:03.458903Z", "deleted_at": null, "sha1_hash": "3b16bd8ba6add836736e804404fc93361e536713", "title": "Welcome Chat as a secure messaging app? Nothing could be further from the truth", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 882477, "plain_text": "Welcome Chat as a secure messaging app? Nothing could be\r\nfurther from the truth\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 21:43:09 UTC\r\nWe discovered a new operation within a long-running cyber-espionage campaign in the Middle East. Targeting\r\nAndroid users via the malicious Welcome Chat app, the operation appears to have links to the malware named\r\nBadPatch, which MITRE links to the Gaza Hackers threat actor group known also as Molerats.\r\nOur analysis shows that the Welcome Chat app allows spying upon its victims. However, it is not simple spyware.\r\nWelcome Chat is a functioning chat app that delivers the promised functionality along with its hidden espionage\r\ncapacity.\r\nWe found this spyware being advertised to chat-hungry users (these apps are banned in some countries in the\r\nMiddle East region) on a dedicated website (see Figure 1). The fact that the website is in Arabic conforms with the\r\ntargeting of the whole campaign we believe this operation belongs to. The domain was registered in October 2019;\r\nwe couldn’t, however, determine when the website was launched.\r\nhttps://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/\r\nPage 1 of 10\n\nFigure 1. The website of the malicious Welcome Chat app\r\nThe malicious website promotes the Welcome Chat app, claiming it’s a secure chat platform that is available on\r\nthe Google Play store. Both claims are false. In regard to the “secure” claim, nothing is further from the truth. Not\r\nonly is Welcome Chat an espionage tool; on top of that, its operators left the data harvested from their victims\r\nfreely available on the internet. And the app was never available on the official Android app store.\r\nFigure 2. Despite the caption stating “High quality, secure and available on Google Play”, the button leads to the\r\ninstallation file being downloaded directly from the malicious website\r\nFunctionality/Analysis\r\nOnce the user downloads the app, it needs the setting “Allow installing apps from unknown sources” to be\r\nactivated since the app was not downloaded from the Play Store.\r\nAfter installation, the malicious app will request the victim to allow permissions such as send and view SMS\r\nmessages, access files, record audio, and access contacts and device location. Such an extensive list of intrusive\r\npermissions might normally make the victims suspicious – but with a messaging app, it’s natural they are needed\r\nfor the app to deliver the promised functionality.\r\nhttps://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/\r\nPage 2 of 10\n\nFigure 3. Permission requests by Welcome Chat spyware\r\nIn order to be able to communicate with other users of this app, the user needs to register and create a personal\r\naccount (see Figure 4).\r\nhttps://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/\r\nPage 3 of 10\n\nFigure 4. The Sign up/Login dialog of the Welcome Chat app\r\nImmediately after receiving these permissions, Welcome Chat sends information about the device to its Command\r\nand Control (C\u0026C) server and is ready to receive commands. It is designed to contact the C\u0026C server every five\r\nminutes.\r\nOn top of its core espionage functionality – monitoring the chat communications of its users – the Welcome Chat\r\napp can perform the following malicious actions: exfiltrating sent and received SMS messages, call log history,\r\ncontact list, user photos, recorded phone calls, the GPS location of the device, and device info.\r\nhttps://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/\r\nPage 4 of 10\n\nTrojanized or attacker-developed chat app?\r\nAn interesting question arises with functional trojan apps: is the app an attacker-trojanized version of a clean app,\r\nor did the attackers develop a malicious app from scratch?\r\nIn both cases, it is easy for the attackers to spy on exchanged in-app messages as they would – naturally – have the\r\nauthorization keys to the user database.\r\nDespite the first option being typical for trojanized apps, we believe that in this particular case, the second\r\nexplanation is more probable.\r\nTypically, trojanized apps are created via a process of appending the malicious functionality to a legitimate app.\r\nThe bad guys find and download a suitable app. After decompiling it, they add the malicious functionality and\r\nrecompile the now-malicious-yet-still-functioning app to spread it among their desired audience.\r\nThere is a major question mark with this option: to this day, we have not been able to discover any clean version\r\nof the Welcome Chat app. Not only can it not be found on any of the Android markets we have on our radar; based\r\non the binary matching algorithms in our sample classification systems, we haven’t found any clean app with this\r\nsame chat functionality. Of interest in this regard is that a clean version of Welcome Chat, without the espionage\r\nfunctionality, was uploaded to VirusTotal in mid-February 2020 (hash:\r\n757bd41d5fa99e19200cee59a3fd1577741ccd82). The malicious version was first submitted to VirusTotal a week\r\nearlier.\r\nThis leads us to believe that the attackers developed the malicious chat app on their own. Creating a chat app for\r\nAndroid is not difficult; there are many detailed tutorials on the internet. With this approach, the attackers have\r\nbetter control over the compatibility of the app’s malicious functionality with its legitimate functions, so they can\r\nensure that the chat app will work.\r\nCode analysis\r\nThe Welcome Chat espionage app seems to have targeted Arabic-speaking users: both the default website\r\nlanguage and default in-app language are Arabic. However, based on debug logs left in the code, strings, class and\r\nunique variable names, we were able to determine that most of the malicious code was copied from publicly\r\navailable open source code projects and code example snippets available on public forums.\r\nhttps://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/\r\nPage 5 of 10\n\nFigure 5. The developer used different pieces of open source code to create the malicious app\r\nhttps://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/\r\nPage 6 of 10\n\nIn some cases, the copied open source code is quite old – see Table 1. As a possible explanation, all the listed\r\nexamples come at the very top among the results of simple googling for the respective functionalities.\r\nTable 1. The origins of the malicious code\r\nFunctionality Source Age (years)\r\nCall recording open source, GitHub 8\r\nSMS stealing open source, GitHub 6\r\nGoogle Maps coordinates open source, Blogspot (plus other sources) 5\r\nGEO tracking open source, GitHub 8\r\nGPS tracking open source, GitHub 5\r\nUser data leak\r\nThe Welcome Chat app, including its infrastructure, was not built with security in mind. The app uploads all of the\r\nuser’s stolen data to the attacker-controlled server via unsecured HTTP.\r\nTransmitted data is not encrypted and because of that, not only it is available to the attacker, it is freely accessible\r\nto anyone on the same network.\r\nThe database contains data such as name, email, phone number, device token, profile picture, messages and\r\nfriends list – in fact, all the users’ data except for the account passwords can be found uploaded to the unsecured\r\nserver.\r\nFigure 6. The victim’s device uploads the user data to the app’s server\r\nhttps://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/\r\nPage 7 of 10\n\nFigure 7. User database leak\r\nFigure 8. Leaked user info\r\nFigure 9. An example of an in-app message being freely accessible on the app’s unsecured server\r\nOnce we discovered the sensitive information as being publicly accessible, we intensified our efforts to discover\r\nthe developer of the legitimate chat app (i.e., the app the espionage tool was – eventually – a trojanized version of)\r\nhttps://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/\r\nPage 8 of 10\n\nto disclose the vulnerability to them. We found neither the developer nor the app, convincing us that the app was\r\nbuilt from the beginning as malicious. Naturally, we made no effort to reach out to the malicious actors behind the\r\napp.\r\nPossible BadPatch connection\r\nThe Welcome Chat espionage app belongs to the very same Android malware family that we identified at the\r\nbeginning of 2018. That malware used the same C\u0026C server, pal4u.net, as the espionage campaign targeting the\r\nMiddle East that was identified in late 2017 by Palo Alto Networks and named BadPatch. In late 2019, Fortinet\r\ndescribed yet another espionage operation focused on Palestinian targets with the domain pal4u.net among its\r\nindicators of compromise.\r\nFor these reasons we believe that this campaign with new Android trojans comes from the threat actors behind the\r\nlong-term BadPatch campaign.\r\nRecommendation\r\nWhile the Welcome Chat-based espionage operation seems to be narrowly targeted, we strongly recommend that\r\nusers don’t install any apps from outside the official Google Play store – unless it’s a trusted source such as a\r\nwebsite of an established security vendor or some reputable financial institution. On top of that, users should pay\r\nattention to what permissions their apps require and be suspicious of any apps that require permissions beyond\r\ntheir functionality – and, as a very basic security measure, run a reputable security app on their mobile devices.\r\nIndicators of Compromise (IoCs)\r\nHash ESET detection name\r\nC60D7134B05B34AF08023155EAB3B38CEDE4BCCD Android/Spy.Agent.ALY\r\nC755D37D6692C650692F4C637AE83EF6BB9577FC Android/Spy.Agent.ALY\r\n89AB73D4AAF41CBCDBD0C8C7D6D85D21D93ED199 Android/Spy.Agent.ALY\r\n2905F2F60D57FBF13D25828EF635CA1CCE81E757 Android/Spy.Agent.ALY\r\nC\u0026C: emobileservices.club\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial Access T1444\r\nMasquerade as\r\nLegitimate\r\nApplication\r\nWelcome Chat impersonates a legitimate chat application.\r\nhttps://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/\r\nPage 9 of 10\n\nTactic ID Name Description\r\nPersistence T1402\r\nApp Auto-Start at\r\nDevice Boot\r\nWelcome Chat listens for the BOOT_COMPLETED\r\nbroadcast, ensuring that the app's functionality will be\r\nactivated every time the device starts.\r\nDiscovery T1426\r\nSystem\r\nInformation\r\nDiscovery\r\nWelcome Chat collects information about the device.\r\nCollection\r\nT1412\r\nCapture SMS\r\nMessages\r\nWelcome Chat exfiltrates sent and received SMS\r\nmessages.\r\nT1430 Location Tracking Welcome Chat spies on the device's location.\r\nT1433 Access Call Log Welcome Chat exfiltrates call log history.\r\nT1432\r\nAccess Contact\r\nList\r\nWelcome Chat exfiltrates the user contact list.\r\nT1429 Capture Audio Welcome Chat records surrounding audio.\r\nT1533\r\nData from Local\r\nSystem\r\nWelcome Chat steals user photos stored on device.\r\nCommand\r\nand Control\r\nT1437\r\nStandard\r\nApplication Layer\r\nProtocol\r\nWelcome Chat uploads exfiltrated data using the HTTP\r\nprotocol.\r\nSource: https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/\r\nhttps://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/" ], "report_names": [ "welcome-chat-secure-messaging-app-nothing-further-truth" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434792, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b16bd8ba6add836736e804404fc93361e536713.pdf", "text": "https://archive.orkl.eu/3b16bd8ba6add836736e804404fc93361e536713.txt", "img": "https://archive.orkl.eu/3b16bd8ba6add836736e804404fc93361e536713.jpg" } }