Bahamut uses fake VPN apps to steal Android user credentials

Bahamut uses fake VPN apps to steal Android user credentials

Bahamut is a notorious cyber mercenary group that has been active since 2016 and currently targets Android devices with fake VPN apps and injects malware to steal user credentials. The malware-laden apps were first discovered by Slovakian cybersecurity firm ESET’s Lukáš Štefanko.

Beware of Bahamut

ESET researchers discovered a new attack from the notorious cybercrime group Bahamut. The group launched malware attacks through fake Android VPN applications. Research revealed that hackers are using malicious versions of SoftVPN, SecureVPN and OpenVPN software.

In this highly targeted campaign, hackers aim to extract sensitive data from infected devices. The campaign was started on 22 January. The fake VPN apps are distributed through a fake SecureVPN website. In previous campaigns by Bahamut, the main targets were located in the Middle East and South Asia.

8 varieties of spyware detected

Researchers have identified 8 different variants of the infected apps. These contain trojanized versions of genuine VPN apps such as OpenVPN. Bahamut offers these fake VPN apps as a service for hire.

Bahamut uses fake VPN apps to steal Android user credentials
Malicious website that spreads SecureVPN and the permission it asks for during installation (Image: ESET)

According to ESET’s blog post, attacks are launched via spear phishing messages and fake apps. Researchers believe that this campaign is still active.

The targets are reportedly carefully selected because the app requires the victim to provide an activation key to activate its features using a distribution vector. The activation key is designed to establish contact with the attacker-controlled server and prevents malware from being accidentally launched after it is launched on a non-targeted device.

How does the attack work?

According to Štefanko, the fake app asks for an activation key before the VPN and spyware feature is activated. The key and URL are sent to the targeted users. After the app is activated, the hackers gain remote control of the spyware and can infiltrate/harvest confidential user data.

See also  Facebook says cyber spies are using fake WhatsApp and Signal apps to snoop on thousands

Furthermore, hackers can spy on almost everything stored on the device, including call logs, SMS messages, device location, WhatsApp data and other encryption app data, Telegram and Signal data, etc. The victim remains unaware of the data collection.

“The data exfiltration is done via the key logging feature of the malware, which abuses accessibility services,” Štefanko said.

It is worth noting that the malware associated with the service and the malware-infected app were not promoted on Google Play. Also, the researchers are unaware of the original distribution vector, but they believe it is through social media, SMS or email.

  1. Edward Snowden urges users to stop using ExpressVPN
  2. Popular free Android VPN apps on the Play Store contain malware
  3. 38% of Android VPN apps in the Play Store plagued with malware
  4. Top 10 Android Educational Apps That Collect the Most User Data
  5. Hackers Selling US College VPN Credentials on Russian Forums

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *