>
A notorious group of cyber mercenaries injects spyware into Android devices to steal users’ conversations, new ESET research (opens in new tab) has found.
These malware attacks are launched via fake Android VPN apps, with evidence that the hackers used malicious versions of SecureVPN, SoftVPN, and OpenVPN software.
Known as Bahamut ATP, the group is thought to be a hired service that typically launches attacks via spear phishing messages and bogus applications. According to previous reports, since 2016, the hackers have been targeting both organizations and individuals in the Middle East and South Asia.
ESET researchers are estimated to have started in January 2022 and believe the group’s campaign to distribute malicious VPNs is currently still ongoing.
From phishing emails to fake VPNs
“The campaign seems to be very targeted as we don’t see any cases in our telemetry data,” said Lukáš Štefanko, the ESET researcher who first discovered the malware.
“In addition, the app asks for an activation key before enabling the VPN and spyware functionality. Both the activation key and the website link are likely to be sent to targeted users.”
Štefanko explains that once the app is activated, Bahamut hackers can control the spyware remotely. This means that they are able to infiltrate and collect a lot of sensitive data from users.
“The data exfiltration is done through the malware’s keylogging functionality, which abuses accessibility services,” he said.
From text messages, call logs, device locations and other details to even encrypted messaging apps like WhatsApp, Telegram or Signal, these cybercriminals can spy on virtually anything they find on victims’ devices without them knowing.
ESET identified at least eight versions of these trojanized VPN services, which means that the campaign is well maintained.
It is worth noting that there is no malicious software associated with the legitimate service under any circumstances and none of the malware-infected apps have been promoted on Google Play.
However, the initial distribution vector is still unknown. Looking back at how Bahamut ATP usually works, a malicious link could have been sent via email, social media or SMS.
What do we know about Bahamut APT?
Despite it still not being clear who is behind it, the Bahamut ATP appears to be a collective of mercenaries, as their attacks do not really follow any specific political interest.
Since 2016, Bahamut has been conducting numerous cyber espionage campaigns, mainly in the Middle East and South Asia.
The investigative journalism group Bellingcat was the first to expose their operations in 2017, describing how both international and regional powers were actively involved in such surveillance operations.
“Bahamut is therefore notable as a vision of the future in which modern communications have lowered the barriers for smaller countries to effectively monitor domestic dissidents and extend beyond their borders,” he concluded. Calling cat (opens in new tab) at the time.
The group was then renamed Bahamut, after the giant fish that floats in the Arabian Sea, described in Jorge Luis Borges’ Book of Imaginary Beings.
More recently, another study revealed how the Advanced Persistent Threat (APT) group is increasingly using mobile devices as prime targets.
Cyber security company Cyble first saw this new trend last April (opens in new tab)noting that the Bahamut group “plans their attack on the target, stays in the wild for a while, allows their attack to hit many individuals and organizations, and ends up stealing their data.”
Also in this case, researchers emphasized the ability of cybercriminals to develop such a well-designed phishing site to trick victims and gain their trust.
As Lukáš Štefanko confirmed before the fake Android app incident: “The spyware code, and therefore its functionality, is the same as in previous campaigns, including the collection of data to be exfiltrated into a local database before being sent to the server of be sent to the operator, a tactic rarely seen in mobile cyber-espionage apps.”