Cyber-mercenaries Target Android Users with Fake VPN Apps

Cybercrime as-a-service
Fraud Management & Cybercrime

Malicious Apps can Exfiltrate Information from Signal, Viber, and Telegram

Cyber-mercenaries Target Android Users with Fake VPN Apps
Trojanized versions of two legitimate apps used by attackers

A hacking-for-hire group is distributing malicious apps through a fake SecureVPN website that enables Android apps to be downloaded from Google Play, say researchers at Eset.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

Dubbed “Bahamut”, researchers from the cybersecurity firm discovered at least eight versions of the spyware. The apps were being used as part of a malicious campaign that used Trojanized versions of two legitimate apps – SoftVPN and OpenVPN. In both cases, the apps were repackaged with Bahamut spyware.

“The main purpose of the app modifications is to extract sensitive user data and actively spy on victims’ messaging apps,” the researchers say.

Exfiltration of sensitive data is conducted via keylogging, misusing Android’s accessibility service. It can also actively spy on chat messages exchanged through popular messaging apps including Signal, Viber, WhatsApp, Telegram, and Facebook Messenger.

The threat group also acts as a mercenary group, offering hacking-for-hire services that include espionage and disinformation services to target nonprofit organizations and diplomats across the Middle East and southern Asia.

Its initial attack vectors includes spearphishing messages and fake applications, whose…