Researchers at the cybersecurity firm ESET have discovered an active Android malware campaign that began in January 2022. The campaign in question distributes spyware injected into legitimate VPN apps. The researchers have tied this campaign to an advanced persistent threat (APT) group known as “Bahamut.”
Bahamut has been active since at least 2017, when it was first identified. The APT group conducts cyberespionage primarily in the Middle East and South Asia, working to steal sensitive information at the behest of paying clients. Bahamut has developed its own spyware, which it has packaged with fake applications in the past. However, the group has more recently been re-packaging legitimate apps with its spyware added to the code.
Downloading malicious VPN app from website (click to enlarge) (source: ESET)
ESET researchers have found Bahamut injecting its malware into the SoftVPN and OpenVPN apps, which are both legitimate VPN apps. The versions of these apps available on the Google Play Store are the legitimate, non-malicious versions of the apps. However, Bahamut has been running a fraudulent VPN website, where it distributes its own versions of these apps with its custom spyware included. While this website is no longer accessible at the domain name identified by the researchers, it contained a download button that visitors could click to download a malicious APK file.
Free web template used by the threat actors on the fraudulent VPN website (click to enlarge) (source: ESET)
The ESET researchers discovered that the APT group made use of a free VPN web template on its fraudulent website. Bahamut customized this template by borrowing the SoftVPN logo and combining it with the name of another legitimate VPN service, SecureVPN. The malicious APK file available for download on the website also bore this same name. The ESET researchers identified at least eight versions of the two malicious VPN apps pushed by Bahamut in this campaign, meaning the threat group has been actively updating its spyware over the course of this year. The researchers suspect that Bahamut switched from injecting its spyware into SoftVPN to doing the same to OpenVPN because the developers of SoftVPN…
https://spinsafe.com/wp-content/uploads/2022/11/hackers-packing-malware-vpn-apps-android-news.jpg398708SecureTechhttps://spinsafe.com/wp-content/uploads/2024/01/SS-Logo.svgSecureTech2022-11-25 21:30:052022-11-25 21:30:05Hackers Are Packing Malware Into VPN Apps For Android, Security Researchers Warn
