Cybercriminals are currently distributing malicious spyware apps via fake VPN websites. These pages are not affiliated with legitimate, cross-platform VPN software and services. ESET researchers have identified this ongoing campaign targeting Android users and being carried out by an APT (Advanced Persistent Threat) group called Bahamut, a group of Indian Hackers. The journalists named the group after the giant fish from Arabian mythology that swims in the vast sea and is mentioned in the book imaginary creatures by Jorge Luis Borges.
The malicious programme can steal contacts, SMS messages, phone calls, and even chat conversations from major social networking applications such as WhatsApp, Facebook Messenger, Signal, Viber, and Telegram.
However, these applications were never available on Google Play, only on the websites. The ESET researchers have published their analysis on WeLiveSecurity.
The study states that the most common applications are SecureVPN, SoftVPN, and OpenVPN. According to experts, the campaign to distribute malicious VPN applications began in January 2022.
The apps require an activation key before the VPN and spying features can be activated. The link to the websites and the key are probably sent to users in a targeted manner. This approach is intended to prevent the malicious payload from being triggered immediately after launch or during analysis.
When activated, Bahamut spyware can read sensitive device data such as contacts, SMS messages, call logs, a list of installed apps, device location, device accounts, device information (type of internet connection, IMEI, IP, SIM serial number), recorded phone calls, and a list of files on the memory.
By abusing access services, the malware can steal notes from the SafeNotes application. The acquired data is saved in a local database before being sent to the Command and Control (C&C) server.
How do the apps get on the devices?
The Bahamut APT group typically uses spear phishing emails and fake applications as an initial attack vector against businesses and individuals in the Middle East and South Asia. The hackers specialize in cyber espionage.
ESET has identified 8 VPN services containing malware, but none is distributed through Google Play. Experts recommend downloading applications only from official and trusted sources.
