Cyber-Mercenaries Target Android Users with Fake VPN AppsMalicious Apps can Exfiltrate Information from Signal, Viber and Telegram
A hacking-for-hire group is distributing malicious apps through a fake SecureVPN website that enables Android apps to be downloaded from Google Play, say researchers at Eset.
Dubbed "Bahamut," researchers from the cybersecurity firm discovered at least eight versions of the spyware. The apps were being used as part of a malicious campaign that used Trojanized versions of two legitimate apps - SoftVPN and OpenVPN. In both cases, the apps were repackaged with Bahamut spyware.
"The main purpose of the app modifications is to extract sensitive user data and actively spy on victims' messaging apps," the researchers say.
Exfiltration of sensitive data is conducted via keylogging, misusing Android's accessibility service. It can also actively spy on chat messages exchanged through popular messaging apps including Signal, Viber, WhatsApp, Telegram, and Facebook Messenger.
The threat group also acts as a mercenary group, offering hacking-for-hire services that include espionage and disinformation services to target nonprofit organizations and diplomats across the Middle East and southern Asia.
Its initial attack vectors includes spearphishing messages and fake applications, whose goal is to steal sensitive information from its victims.
The malicious application is delivered via the website thesecurevpn[.]com, a spoof of the real securevpn site but which lacks the content or styling of the legitimate SecureVPN service (at the domain securevpn.com).
The thesecurevpn[.]com was registered on 2022-01-27, but date for the initial distribution of the fake SecureVPN app is unknown.
Since Bahamut spyware distribution through websites began, eight versions of the spyware have been made available for download.
List of different versions:
In October 2020, BlackBerry researchers identified the Bahamut group creating several fake news websites to push disinformation content. They also discovered a phishing infrastructure and malicious apps being installed in the official Google Play and Apple App stores and used to target specific victims and organizations.
Because the group's targets lack a unifying pattern, the Blackberry researchers suggest that the hackers likely sell their services to the highest bidder.