Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hack-for-Hire Group Targets Android Users With Malicious VPN Apps

A hack-for-hire group known as Bahamut has been targeting Android users with trojanized versions of legitimate VPN applications, ESET reports.

A hack-for-hire group known as Bahamut has been targeting Android users with trojanized versions of legitimate VPN applications, ESET reports.

An advanced persistent threat (APT) actor focused on cyberespionage, Bahamut was initially detailed in 2017, but continues to be active, leveraging a fake online empire of social media personas, websites, and applications, which has allowed it to fly under the radar.

A mercenary group offering hack-for-hire services, Bahamut is known for the targeting of entities in the Middle East and South Asia, mainly via spearphishing and fake applications, with a focus on stealing sensitive information.

Also tracked as Ehdevel, Windshift, Urpage, and The White Company, Bahamut has hit government officials and politicians, human rights entities, organizations in the financial services and technology sectors, journalists, military organizations, scholars, and aerospace entities.

Starting January 2022, the APT has been observed distributing malicious applications for Android via a fake SecureVPN website distributing trojanized versions of SoftVPN and OpenVPN.

Bahamut registered the fake SecureVPN website at the end of January 2022. The fake VPN app targeting Android has been distributed solely via the website, ESET says.

The security firm observed similarities in the malicious code used in this campaign and code from earlier Bahamut attacks, and notes that the delivery technique remains the same.

According to ESET, at least eight versions of the Bahamut spyware have been available for download on the fake website, divided into two branches, as malicious code was inserted into either SoftVPN or OpenVPN, two legitimate applications available via Google Play.

Advertisement. Scroll to continue reading.

“Besides the split in these two branches, where the same malicious code is implanted into two different VPN apps, other fake SecureVPN version updates contained only minor code changes or fixes, with nothing significant considering its overall functionality,” ESET explains.

The threat actor is believed to have switched from SoftVPN to OpenVPN because SoftVPN stopped working or being maintained, which might have resulted in users uninstalling it.

ESET also points out that the way the malicious code has been injected into the OpenVPN app made it unusable without an activation key (neither the Bahamut spyware nor VPN functionality would work without a correct key).

“Unfortunately, without the activation key, dynamic malware analysis sandboxes might not flag it as a malicious app. The campaigns using the fake SecureVPN app try to keep a low profile, since the website URL is most likely delivered to potential victims with an activation key, which is not provided on the website,” ESET notes.

Once enabled, the Bahamut spyware can exfiltrate sensitive information, including user accounts, contacts, messages, calls, installed apps, device location, external storage information, and recorded calls.

The malware would also spy on applications such as imo-International Calls & Chat, Facebook Messenger, Viber, Signal Private Messenger, WhatsApp, Telegram, WeChat, and Conion apps.

Related: New ‘Black Lotus’ UEFI Rootkit Provides APT-Level Capabilities

Related: Researchers Crowdsourcing Effort to Identify Mysterious Metador APT

Related: Iran-Linked OilRig APT Caught Using New Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.