A group of cyber espionage known as Bahamut was allegedly behind a highly targeted campaign that infected Android device users with malicious apps designed to extract sensitive information.
Slovak cybersecurity firm ESET said in a new report shared with The Hacker News that the operation, which began in January 2022, consisted of distributing fake VPN apps through a fake SecureVPN website set up for this purpose.
So far, at least eight different variants of spyware apps have been discovered, where they are trojanized versions of legitimate VPN apps like SoftVPN and OpenVPN. None of these apps are available on the Google Play Store.
Fake apps and their updates are pushed to users through phishing websites. It is also suspected that the targets were carefully chosen, as launching the application requires the victim to enter an activation key to activate the features.
This implies the use of an unknown delivery vector, although previous evidence suggests that it could take the form of direct phishing emails, SMS messages, or direct messages on social media apps. festival.
The activation lock mechanism is also designed to communicate with the agent-controlled server, effectively preventing malware from accidentally being activated shortly after launch on untargeted user devices.
Bahamut was unmasked by Bellingcat in 2017 as a hack for hire that targeted government officials, human rights groups and other prominent organizations in South Asia and the Middle East using proprietary Android and iOS apps. harmful to track its victims.
“Perhaps the most distinctive aspect of Bahamut’s craftsmanship […] is the team’s use of original, meticulously crafted websites, apps, and characters,” noted Canadian cybersecurity company BlackBerry in October 2020.
Earlier this year, Cyble detailed two phishing attack groups orchestrated by the group to push Android apps masquerading as chat apps.
The latest wave follows a similar trajectory, tricking users into installing seemingly innocuous VPN apps that can extract vast amounts of information, including files, contacts, SMS, call logs, and more. Make phone calls, location and messages from WhatsApp, Facebook Messenger, Signal, Viber, Telegram and WeChat.
“The data theft is done through the malware’s keylogging function, misuse of accessibility services,” said Lukáš Štefanko, researcher at ESET.
In an indication of a well-maintained campaign, the threater initially packaged malicious code in the SoftVPN app, before switching to OpenVPN, a change that is explained by the fact that the SoftVPN app has actually stopped working. dynamic and unable to establish a VPN connection.
“The mobile campaign run by the APT Bahamut team is still active; it uses the same method of distributing its Android spyware applications through websites that impersonate or masquerade as legitimate services, as seen in the past,” added Štefanko.