Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hack-for-Hire Group Targets Android Users With Malicious VPN Apps

A hack-for-hire group known as Bahamut has been targeting Android users with trojanized versions of legitimate VPN applications, ESET reports.

A hack-for-hire group known as Bahamut has been targeting Android users with trojanized versions of legitimate VPN applications, ESET reports.

An advanced persistent threat (APT) actor focused on cyberespionage, Bahamut was initially detailed in 2017, but continues to be active, leveraging a fake online empire of social media personas, websites, and applications, which has allowed it to fly under the radar.

A mercenary group offering hack-for-hire services, Bahamut is known for the targeting of entities in the Middle East and South Asia, mainly via spearphishing and fake applications, with a focus on stealing sensitive information.

Also tracked as Ehdevel, Windshift, Urpage, and The White Company, Bahamut has hit government officials and politicians, human rights entities, organizations in the financial services and technology sectors, journalists, military organizations, scholars, and aerospace entities.

Starting January 2022, the APT has been observed distributing malicious applications for Android via a fake SecureVPN website distributing trojanized versions of SoftVPN and OpenVPN.

Bahamut registered the fake SecureVPN website at the end of January 2022. The fake VPN app targeting Android has been distributed solely via the website, ESET says.

The security firm observed similarities in the malicious code used in this campaign and code from earlier Bahamut attacks, and notes that the delivery technique remains the same.

According to ESET, at least eight versions of the Bahamut spyware have been available for download on the fake website, divided into two branches, as malicious code was inserted into either SoftVPN or OpenVPN, two legitimate applications available via Google Play.

Advertisement. Scroll to continue reading.

“Besides the split in these two branches, where the same malicious code is implanted into two different VPN apps, other fake SecureVPN version updates contained only minor code changes or fixes, with nothing significant considering its overall functionality,” ESET explains.

The threat actor is believed to have switched from SoftVPN to OpenVPN because SoftVPN stopped working or being maintained, which might have resulted in users uninstalling it.

ESET also points out that the way the malicious code has been injected into the OpenVPN app made it unusable without an activation key (neither the Bahamut spyware nor VPN functionality would work without a correct key).

“Unfortunately, without the activation key, dynamic malware analysis sandboxes might not flag it as a malicious app. The campaigns using the fake SecureVPN app try to keep a low profile, since the website URL is most likely delivered to potential victims with an activation key, which is not provided on the website,” ESET notes.

Once enabled, the Bahamut spyware can exfiltrate sensitive information, including user accounts, contacts, messages, calls, installed apps, device location, external storage information, and recorded calls.

The malware would also spy on applications such as imo-International Calls & Chat, Facebook Messenger, Viber, Signal Private Messenger, WhatsApp, Telegram, WeChat, and Conion apps.

Related: New ‘Black Lotus’ UEFI Rootkit Provides APT-Level Capabilities

Related: Researchers Crowdsourcing Effort to Identify Mysterious Metador APT

Related: Iran-Linked OilRig APT Caught Using New Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.