The cyber mercenary group Bahamut is targeting Android users with fake VPN apps to exfiltrate confidential data and spy on victims’ messaging, a new report from ESET’s researchers said.
The operation has been targeting Android users since January 2022 with malicious apps distributed through a SecureVPN website that provides only apps to download. It uses the same method of distributing its Android spyware apps via websites that impersonate or masquerade as legitimate services.
It’s important to note, the security provider’s researchers said, that the malware used in the campaign has the same SecureVPN name but is not linked to the legitimate, multiplatform SecureVPN software and service.
Bahamut is also referred to as a mercenary group owing to its offering hack-for-hire services to a wide range of clients. The hackers are thought to be based in Singapore but there is no certainty of their geolocation.
What We Know About Fake VPN Apps
Key findings of ESET's research:
- The app used has at different times been a trojanized version of one of two legitimate VPN apps, SoftVPN or OpenVPN, which have been repackaged with Bahamut spyware code that the Bahamut group has used in the past. These malicious apps were never available for download from Google Play.
- At least eight versions of these maliciously patched apps with code changes and updates are being made available through the distribution website. That might mean that the campaign is well maintained. However, malicious apps were never available for download from Google Play.
- The main purpose of the app modifications is to extract sensitive user data and actively spy on victims’ messaging apps.
- Targets are carefully chosen, since once the Bahamut spyware is launched, it requests an activation key before the VPN and spyware functionality can be enabled. Both the activation key and website link are likely sent to targeted users.
- ESET does not know the initial distribution vector (email, social media, messaging apps, SMS, etc.).
Advice for MSSPs
Mobile-focused managed security service providers (MSSPs) engaged in corporate settings would do well to be aware of this particular malware, especially considering some employees still manage to use their personal phones for work. While targets currently appear to be confined to entities and individuals in the Middle East and South Asia, and the U.S., MSSPs should be prepared to see it in the wild in other regions of the world.
According to ESET, the Bahamut spyware once enabled can be remotely controlled by its operators and can exfiltrate sensitive device data such as:
- Contacts
- SMS messages
- Call logs
- List of installed apps
- Device location
- Device accounts
- Device info (type of internet connection, IMEI, IP, SIM serial number)
- Recorded phone calls
- List of files on external storage
The malware can steal notes from the SafeNotes application and actively spy on chat messages and information about calls from popular messaging apps such as:
- Imo-International Calls & Chat
- Facebook Messenger
- Viber
- Signal Private Messenger
- Telegram
- Conion apps