Security researchers at ESET discovered that the infamous cyber-mercenary group, Bahamut APT, has been using fake VPN apps as a carrier for dangerous malware targeting Android phones. The researchers found at least eight versions of Bahamut spyware on trojanized versions of popular Android apps, SoftVPN and OpenVPN. These apps were never available to download from the Google Play Store, though.
Once installed, the spyware can access sensitive data such as contacts, SMS messages, call logs, device location, and recorded phone calls. The spyware can also spy on information about calls and chat messages from messaging apps like Messenger, Viber, Signal, WhatsApp, Telegram, and WeChat and can extract other data like banking information using keylogging.
The Bahamut group used a spoofed version of the SecureVPN app to distribute the spyware. These apps request an activation key from targeted individuals before enabling the VPN to avoid detection. This key prevents the malicious payload from triggering on devices that don’t belong to the targeted victim. Thus, ensuring the app goes under the radar during installation.
Notably, the fake SecureVPN app doesn’t share any similarities to the original app, which is atypical for phishing. Phishing sites look identical to spoof the users into installing the app. ESET claims the group has maintained the campaign very well, as they discovered eight versions of the Bahamut spyware.
This is one of the many reasons users should restrain from installing apps from untrustworthy sources on the internet. ESET says the campaign began in January this year and is still active.
The Bahamut APT group
The cyber-mercenary group Bahamut APT specializes in cyberespionage by using spearphishing messages and fake applications as the initial attack vector to steal sensitive information from its victims. Bahamut is often referred to as a mercenary group offering hack-for-hire services to a wide range of clients. The group targets entities and individuals in the Middle East and South Asia.
The journalism group, Bellingcat, first discovered their operations in 2017, stating how international and regional powers are engaged in surveillance operations. Bellingcat named the group after the giant fish floating in the Arabian Sea described in Jorge Luis Borges’ Book of Imaginary Beings.
“Bahamut is therefore notable as a vision of the future where modern communications have lowered barriers for smaller countries to conduct effective surveillance on domestic dissidents and to extend themselves beyond their borders,” concluded Bellingcat.
The post Cyber-mercenary group is targeting Android users with fake VPN apps appeared first on Android Headlines.