- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Bahamut Spyware Group Compromises Android Devices Via Fake VPN Apps
The Bahamut APT group has been targeting Android users through a fake SecureVPN website since at least January 2022.
According to a new advisory from Eset, the app used as part of this malicious campaign was a trojanized version of either of two legitimate VPN apps, SoftVPN or OpenVPN. In both instances, the apps were repackaged with Bahamut spyware code.
“We were able to identify at least eight versions of these maliciously patched apps with code changes and updates being made available through the distribution website, which might mean that the campaign is well maintained,” Eset wrote.
The security researchers explained that the primary purpose of the app modifications was to exfiltrate sensitive user data and spy on victims’ messaging apps.
In particular, the fake SecureVPN Android apps could extract sensitive data such as SMS messages, contacts, call logs, device location and recorded phone calls.
They also enabled the spying of chat messages on several messaging apps, including WhatsApp, Signal, Viber, Telegram and Facebook Messenger.
Data exfiltration is performed via the keylogging functionality of the malware, which relies on Android’s accessibility services. Eset suggested that the campaign appears highly targeted, as the company did not notice any instances in their telemetry data.
“We believe that targets are carefully chosen since once the Bahamut spyware is launched, it requests an activation key before the VPN and spyware functionality can be enabled. Both the activation key and website link are likely sent to targeted users,” reads the technical write-up.
Despite this, the advisory highlights that the Bahamut APT group, active since at least 2017, typically targets companies and individuals in the Middle East and South Asia.
“Bahamut specializes in cyberespionage, and we believe its goal is to steal sensitive information from its victims,” Eset wrote. “Bahamut is also referred to as a mercenary group offering hack-for-hire services to a wide range of clients.”
The company’s advisory comes weeks after security researchers at Zimperium discovered a new Android spyware family dubbed ‘RatMilad’ trying to infect an enterprise device in the Middle East.
