Despite Google’s greatest efforts to combat its spread, malware on Android has been a persistent, nearly ubiquitous problem. New research from the cybersecurity firm ESET reveals that the notorious cyber-mercenary organization Bahamut APT has found a new carrier for hazardous malware targeting Android phones: VPN applications.
As the cyber-mercenary label suggests, the Bahamut APT is a collection of cybercriminals that might be hired to conduct spear phishing assaults. The gang has been active for some time, frequently focusing on targets in the Middle East and South Asia. ESET researchers have uncovered at least eight variants of the Bahamut spyware in trojanized versions of the popular Android apps SoftVPN and OpenVPN. Repurposed spyware malware was apparently utilized to infiltrate these dangerous applications.
#ESETresearch discovered an active #Android campaign conducted by the hack-for-hire group #Bahamut. The campaign has been active since January 2022, with malicious apps are distributed through a fake #SecureVPN website@LukasStefanko https://t.co/Kdfc7hdJQT 1/6
— ESET research (@ESETresearch) November 23, 2022
Since 2017, the Bahamut APT has been in and out of the spotlight for cyber espionage strikes of varied sizes. This one employing VPN programs is a reasonably standard spyware assault aimed to gain access to the victim’s SMS, call records, location, and call recordings by hacking their device.
Using keylogging, the spyware may snoop on chat apps such as WhatsApp and harvest additional data such as financial information.
All infected apps were distributed via a counterfeit version of the SecureVPN website, and they were never available for download on the Play Store. These VPN applications appeared to target specific users, who were driven to the website with a unique activation code. Another red flag for potential victims is that the authentic version of the VPN does not require an activation key or a visit to a website. This key prevents the malicious payload from triggering on devices that don’t belong to the specifically targeted victim.
This discovery by the ESET team is a stark reminder not to download applications from unreliable sources on the internet. According to the researchers, the effort began in January of this year and is ongoing. If you’re trying to download a suggested VPN app, we urge that you stick to the Play Store, even if someone provides you a link to get one elsewhere.