© IE Online Media Services Pvt Ltd
Tags:
Journalism of Courage
A malicious spyware campaign has been discovered by cybersecurity software firm ESET, where trojan VPN apps are used to steal data from messaging apps like WhatsApp, Messenger, Signal, Viber, and Telegram. The campaign is targeting Android users.
These spyware apps are distributed through a fake SecureVPN website that provides only trojan Android apps to download. Trojans apps are essentially deceptive programs that appear to perform a particular function but actually perform another. The campaign is being run by Bahamut APT – a group that specialises in cyberespionage, usually through fake applications. Targets for these attacks are typically entities and individuals in the Middle East and South Asia.
Additionally, likely to avoid detection, these apps request an activation key before the VPN and spyware can be enabled. This activation key is sent to targeted users only. An additional step for enabling spyware also ensures that the app passes under the radar during installation, which is when the app is most likely to get scanned for viruses.
Notably, the fake SecureVPN website does not share any content or UI of the original, which is a bit atypical for phishing. Phishing sites usually look identical to the ones they’re based on to appear trustworthy.
The campaign appears to be well-maintained, according to ESET, which has so far discovered eight versions of the Bahamut spyware. None of these apps are available on the Google Play Store to download, meaning the fake SecureVPN website likely distributes APKs – a file format used to install applications on Android.
Once the data has been stolen it’s stored in a local database and then sent to Bahamut’s “Command and Control server.” Aside from stealing user data through fake apps, Bahamut also offers hack-for-hire services to a wide range of clients. Note that the ‘Bahamut’ name isn’t a self-proclaimed one, and was actually given by the Bellingcat investigative journalism group.
