Cybercrime , Cybercrime as a service , Fraud and cybercrime management
Malicious apps can exfiltrate information from Signal, Viber and Telegram
Prajeet Nair (@prajeetspeaks) •
November 24, 2022
A for-hire group is distributing malicious apps through a fake SecureVPN website that allows downloading Android apps from Google Play, according to Eset researchers.
See also: Live Webinar | How to Achieve Your Zero Trust Goals with Advanced Endpoint Strategies
Dubbed “Bahamut,” researchers at the cybersecurity firm have discovered at least eight versions of the spyware. The apps were used as part of a malicious campaign that used Trojan versions of two legitimate apps – SoftVPN and OpenVPN. In both cases, the apps were repackaged with Bahamut spyware.
“The main purpose of the app modifications is to extract sensitive user data and actively spy on victims’ messaging apps,” the researchers explain.
Sensitive data exfiltration is done through keylogging, abusing Android’s accessibility service. It can also actively spy on chat messages exchanged through popular messaging apps like Signal, Viber, WhatsApp, Telegram, and Facebook Messenger.
The threat group also acts as a mercenary group, offering for-hire hacking services that include spying and disinformation services to target nonprofits and diplomats across the Middle East. and South Asia.
Its initial attack vectors include spear phishing messages and fake apps, the purpose of which is to steal sensitive information from its victims.
The malicious application is delivered via thesecurevpn site[.]com, a parody of the real securevpn site but does not have the content or style of the legitimate SecureVPN service (at domain securevpn.com).
The securevpn[.]com was registered on 2022-01-27, but the date of the initial distribution of the fake SecureVPN app is unknown.
Since Bahamut spyware began to be distributed through websites, eight versions of the spyware have been made available for download.
List of different versions:
- SecureVPN_104.apk;
- SecureVPN_105.apk;
- SecureVPN_106.apk;
- SecureVPN_107.apk;
- SecureVPN_108.apk;
- SecureVPN_109.apk;
- SecureVPN_1010.apk;
- SecureVPN_1010b.apk.
In October 2020, BlackBerry researchers identified Bahamut Group creating several fake news websites to spread misinformation content. They also uncovered phishing infrastructure and malicious apps installed in the official Google Play and Apple App stores and used to target specific victims and organizations.
Because the group’s targets lack a unifying pattern, the Blackberry researchers suggest the hackers are likely selling their services to the highest bidder.