The cyber mercenary group Bahamut is targeting Android users with fake VPN apps to exfiltrate confidential data and spy on victims’ messaging, a new report from ESET’s researchers said.
The operation has been targeting Android users since January 2022 with malicious apps distributed through a SecureVPN website that provides only apps to download. It uses the same method of distributing its Android spyware apps via websites that impersonate or masquerade as legitimate services.
It’s important to note, the security provider’s researchers said, that the malware used in the campaign has the same SecureVPN name but is not linked to the legitimate, multiplatform SecureVPN software and service.
Bahamut is also referred to as a mercenary group owing to its offering hack-for-hire services to a wide range of clients. The hackers are thought to be based in Singapore but there is no certainty of their geolocation.
What We Know About Fake VPN Apps
Key findings of ESET's research:
Advice for MSSPs
Mobile-focused managed security service providers (MSSPs) engaged in corporate settings would do well to be aware of this particular malware, especially considering some employees still manage to use their personal phones for work. While targets currently appear to be confined to entities and individuals in the Middle East and South Asia, and the U.S., MSSPs should be prepared to see it in the wild in other regions of the world.
According to ESET, the Bahamut spyware once enabled can be remotely controlled by its operators and can exfiltrate sensitive device data such as:
The malware can steal notes from the SafeNotes application and actively spy on chat messages and information about calls from popular messaging apps such as:
