Infamous cyber mercenary group injects spyware into Android devices to steal user chats, new ESET research (opens in a new tab) found.
These malware attacks are carried out via fake Android VPN apps, and evidence suggests that hackers have used malicious versions of SecureVPN, SoftVPN, and OpenVPN.
The group known as Bahamut ATP is believed to be a service for hire that typically launches attacks via spear phishing emails and fake apps. According to previous reports, hackers have been targeting both organizations and individuals in the Middle East and South Asia since 2016.
Estimated to have started in January 2022, ESET researchers believe the group’s campaign to distribute malicious VPNs is still ongoing.
From phishing emails to fake VPNs
“The campaign appears to be highly targeted as we don’t see any cases in our telemetry data,” said Lukáš Štefanko, the ESET researcher who first discovered the malware.
“Additionally, the app requests an activation key before enabling the VPN and spyware features. Both the activation key and website link are likely being sent to the intended users.”
Štefanko explains that once the app is activated, Bahamut hackers can remotely control the spyware. This means that they are able to infiltrate and collect tons of sensitive user data.
“Data exfiltration is done through the malware’s keylogger function that misuses accessibility services,” he said.
From SMS messages, call logs, device locations and all other details, to even message encryption apps like WhatsApp, Telegram or Signal, these cybercriminals can spy on virtually anything they find on victims’ devices without their knowledge.
ESET has identified at least eight versions of these VPN services with Trojans, which means the campaign is well run.
It is worth noting that in no case was the malware associated with a legitimate service, and none of the malware-infected apps were promoted on Google Play.
However, the initial distribution vector is still unknown. Looking back at how Bahamut ATP usually works, the malicious link could have been sent via email, social media or SMS.
What do we know about Bahamut APT?
While it is still unclear who is behind it, Bahamut ATP appears to be a collective of mercenary hackers as their attacks do not really have a specific political interest.
Bahamut has been conducting extensive cyberespionage campaigns since 2016, mainly in the Middle East and South Asia.
The investigative journalism group Bellingcat was the first to go public in 2017, detailing how both international and regional powers actively engaged in such surveillance operations.
“Bahamut is therefore a noteworthy vision of a future where modern communications have lowered the barriers for smaller countries to conduct effective surveillance of domestic dissidents and expand beyond their borders,” he concluded. Belling cat (opens in a new tab) then.
The group was then renamed Bahamut, after a giant fish swimming in the Arabian Sea, described in The Book of Imaginary Beings by Jorge Luis Borges.
Recently, another investigation revealed how the Advanced Persistent Threat (APT) group is increasingly targeting mobile devices as their primary target.
A cybersecurity company Cyble first noticed this new trend last April (opens in a new tab)noting that the Bahamut group “plans an attack on a target, stays at large for some time, allows the attack to affect many individuals and organizations, and finally steals their data.”
Again, the researchers highlighted the ability of cybercriminals to create such a well-designed phishing site to deceive victims and gain their trust.
As confirmed by Lukáš Štefanko in the case of the fake Android apps incident: “The spyware code and therefore its functionality are the same as in previous campaigns, including collecting data for exfiltration in a local database before sending it to the operators server, tactics rarely seen in mobile cyberespionage applications.”
