Cybercriminals are currently spreading malicious spyware apps through fake SecureVPN websites. These pages are unrelated to the legitimate, cross-platform SecureVPN software and service. ESET researchers have identified this ongoing campaign targeting Android users, run by the APT (Advanced Persistent Threat) group Bahamut. The malicious apps used here are able to steal contacts, SMS messages, recorded phone calls and even chat messages from apps such as WhatsApp, Facebook Messenger, Signal, Viber and Telegram. In total, ESET experts identified eight versions of the spyware. However, these applications were never available on Google Play, only on the websites. The ESET researchers have published their analysis on WeLiveSecurity.de .

“The campaign appears to be very targeted as we could not find any similar cases in our telemetry data,” reports Lukas Stefanko, senior malware researcher at ESET. “The apps require an activation key before the VPN and spy features can be activated. Both the link to the websites and the key are probably sent specifically to users. This approach is intended to prevent the malicious payload from being triggered immediately after launch or during analysis. The Bahamut group is known for this approach.”

Spyware app gains comprehensive rights on the devices

When activated, Bahamut spyware can be controlled remotely by operators and read various sensitive device data, such as contacts, SMS messages, call logs, a list of installed apps, the location of the device, device accounts, device information (type of internet connection, IMEI , IP, SIM serial number), recorded telephone conversations and a list of files on the external storage. By abusing access services, the malware can steal notes from the SafeNotes application. In addition, it actively spies on chat messages and information about calls from popular messaging apps such as Facebook Messenger, Viber, Signal, WhatsApp or Telegram. The collected data is stored in a local database and then sent to the Command and Control (C&C) server.

How do the apps get onto the devices?

The Bahamut APT group typically uses spear phishing emails and fake applications as an initial attack vector against companies and individuals in the Middle East and South Asia. The hackers specialize in cyber espionage. Bahamut is also referred to as a mercenary group that offers its services to a variety of clients. This threat actor, who appears to be a master of phishing, was named by investigative journalism group Bellingcat. The journalists named the group after the giant fish from Arabian mythology that swims in the vast sea and is mentioned in Jorge Luis Borges' Book of Imaginary Creatures.

The ESET researchers published their analysis on WeLiveSecurity .

This might also be of interest : RSV infection and corona vaccination without connection


If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )