ESET malware analyst Lukas Stefanko discovered cybermercenary group Bahamut impersonating two popular VPN apps and distributing spyware-laced APKs in a highly targeted campaign aimed at stealing contact, call, device, location as well as app data from target phones.
Bahamut has repackaged the SoftVPN and OpenVPN apps to include malicious code with spyware functionality. Since these repackaged apps can’t be hosted on the Google Play Store, the group has created a fake website impersonating SecureVPN to distribute the malicious app. The website doesn’t seem to be functioning at the time of writing.
So far, Stefanko has discovered eight separate versions of the group’s malicious VPN app, each with a chronological version number suggesting that the spyware is actively being developed. Additionally, all fake apps include code observed in previous Bahamut campaigns, including the SecureChat campaign reported by Cyble in June earlier this year.
These apps can steal contacts, call logs, location details, SMS, and messages sent in apps like Signal, Viber, WhatsApp, Telegram and Facebook Messenger by abusing accessibility features in addition to collecting a list of files from external storage.
All extracted data is stored in a local database before being sent to a Command and Control (C2) server. The group also can update the app by receiving a link to the new version from the said C2 server.
When asked whether there was any significant difference between the version of the spyware used in the SecureChat campaign and the present one, Stefanko stated that “while the spyware capabilities are pretty much the same as reported earlier, what ESET has observed is the Bahamut group is now targeting users who’re seeking for VPN apps.”
Additionally, the fake OpenVPN app also requires an activation key which enables the VPN and the spyware functionality. This prevents the app from launching its spyware payload on boot or a non-targeted device in case it’s being analysed. It didn’t happen in the SecureChat campaign, but ESET reports having seen Bahamut do this in the past.
At the time of writing, there’s no information on who the targets might be or the original distribution vector. The group’s past track record with phishing attacks suggests that targeted users might be getting phished into downloading malicious apps.
In the News: 1,652 malicious images found on Docker Hub
