Bouncing Golf

"Bouncing Golf" is a threat actor group that has been observed infecting over 660 Android devices with a malware named GolfSpy, which has wide-ranging cyberespionage capabilities. The name "Bouncing Golf" was derived from the malware's code in the package named "golf." This group repackages legitimate apps with this malware, making it difficult for users to distinguish between the original and compromised versions. The malware, detected as AndroidOS_GolfSpy.HRX by Trend Micro, is notable for its extensive range of cyberespionage capabilities. There is evidence suggesting a connection between Bouncing Golf and another threat actor group known as Domestic Kitten. This is based on similarities in their coding structures, specifically the decoding algorithm and the use of "" as a separator in their command strings. Furthermore, the data targeted by Domestic Kitten’s malware for theft follows a similar format to that of Bouncing Golf's, each type of data being identified by a unique character. The operators behind Bouncing Golf are also known to cover their tracks effectively, adding an extra layer of complexity to the task of mitigating their activities. Continuous monitoring of Bouncing Golf's Command and Control (C&C) related activities has revealed that the campaign has already affected more than 660 devices. Given these factors, it's clear that Bouncing Golf poses a significant cybersecurity threat, particularly to Android device users.