Fake VPN App Spies on Android Users

Fake VPN app spies on Android users

SET researchers track down eight versions of the malicious app. Malicious apps read contacts, SMS, recorded phone calls and chat messages.

Cybercriminals are currently spreading malicious spyware apps via fake SecureVPN websites. These pages are completely unrelated to the legitimate, cross-platform SecureVPN software and service. ESET researchers have identified this ongoing campaign targeting Android users, carried out by the APT (Advanced Persistent Threat) group Bahamut. The malicious apps used in this are capable of stealing contacts, SMS messages, recorded phone calls and even chat messages from apps such as WhatsApp, Facebook Messenger, Signal, Viber and Telegram. In total, ESET experts identified eight versions of the spyware. However, these apps were not available on Google Play at any time, only on the websites. ESET researchers published their analysis on WeLiveSecurity.com.

Apps demand activation key

“The campaign seems to be very targeted, as we could not find any similar cases in our telemetry data,” reported Lukas Stefanko, senior malware researcher at ESET. “The apps requires an activation key before the VPN and spying features can be activated. Both the link to the websites and the key are probably sent to users on a targeted basis. This approach is meant to prevent the malicious payload from being triggered right after launch or during analysis. The Bahamut group is known for this approach.”

Spyware gains extensive rights on devices

When enabled, Bahamut spyware can be remotely controlled by operators and read various sensitive device data, such as contacts, SMS messages, call logs, a list of installed apps, device location, device accounts, device information (type of Internet connection, IMEI, IP, SIM serial number), recorded phone calls, and a list of files on external storage. By abusing access services, the malware can steal notes from SafeNotes application. It also actively spies chat messages and information about calls from popular messaging apps such as Facebook Messenger, Viber, Signal, WhatsApp or Telegram. The collected data is stored in a local database and then sent to the command and control (C&C) server.

How do the apps get onto the devices?

The Bahamut APT group typically uses spear phishing emails and fake apps as the initial attack vector against businesses and individuals in the Middle East and South Asia. The hackers specialize in cyber espionage. Bahamut is also referred to as a mercenary group that offers its services to a wide range of clients. The name of this threat actor, which seems to be a master in phishing, was given by the investigative journalist group Bellingcat. The journalists named the group after the giant fish from Arab mythology that swims in the vast sea and is mentioned in the Book of Imaginary Beings by Jorge Luis Borges.