Cyber-mercenary group targets Android users with fake Trojan VPN apps

The Bahamut spyware misuses accessibility services to actively spy on information about calls and chat messages.

securevpn fake trojan apps spyware(Image: Thinkstock, Getty)

Android users beware! A malicious spyware campaign has been discovered by security software firm ESET where trojanised VPN apps are used to steal data from messaging apps like WhatsApp, Messenger, Signal, Viber, and Telegram. These spyware apps are distributed through a fake SecureVPN website that provides only trojanized Android apps to download. The campaign is being run by Bahamut APT – a group that specializes in cyber espionage, usually through fake applications. Targets for these attacks are typically entities and individuals in the Middle East and South Asia.

Like other trojan apps targeting Android, Bahamut spyware also misuse accessibility services to actively spy on information about calls and chat messages from messaging apps like Messenger, Viber, Signal, WhatsApp, Telegram, and WeChat. Using accessibility services lets malicious apps steal data through keylogging.

Additionally, likely to avoid detection, these apps request an activation key before the VPN and spyware can be enabled. This activation key is sent to targeted users only. An additional step for enabling spyware also ensures that the app passes under the radar during installation, which is when the app is most likely to get scanned for viruses.

The fake SecureVPN website does not share any content or UI of the original

Notably, the fake SecureVPN website does not share any content or UI of the original, which is a bit atypical for phishing. Phishing sites usually look identical to the ones they’re based on to appear trustworthy.

The campaign appears to be well-maintained, according to ESET, which has so far discovered eight versions of the Bahamut spyware. None of these apps are available on the Google Play Store to download, meaning the fake SecureVPN website likely distributes APKs – a file format used to install applications on Android.

Once the data has been stolen it’s stored in a local database and then sent to Bahamut’s “Command and Control server.” Aside from stealing user data through fake apps, Bahamut also offers hack-for-hire services to a wide range of clients. Note that the ‘Bahamut’ name isn’t a self-proclaimed one, and was actually given by the Bellingcat investigative journalism group.

© IE Online Media Services Pvt Ltd

.

Leave a Comment