Cyber mercenary ‘Bahamut’ targets Android users posing as VPN apps
Like the ancient mythological fish that bears its name, the Bahamut cybercrime group is hidden from view, swimming deep below the surface of the digital realm.
Bahamut has further earned the moniker and specializes in phishing attacks. It targets companies and individuals in the Middle East and South Asia.
After a year of staying off the radar, the Advanced Persistent Threat (APT) group re-emerged in 2022 to attack mobile devices, tricking users into thinking they were downloading a VPN.
What is a VPN?
A virtual private network, or VPN, allows you to surf the web with a degree of anonymity.
It makes your IP address appear to come from somewhere else, meaning you can bypass laws specific to your area that block certain content.
It often does this by encrypting your internet connection. VPNs also make it harder for cybercriminals to find your computer.
They help protect private data by only allowing external user access through encryption and tunneling protocols.
Ironically, the people who were duped by Bahamut’s scheme were probably trying to strengthen network security.
Bahamut enters the scene
In 2016, the cyber mercenary group began launching espionage campaigns in South Asia and the Middle East. Their victims seemed to have only one thing in common: They were human rights activists.
After a few years of illegal activity, Bahamut disappeared for a while, only to reappear this year. In 2022, Bahamut started targeting Android users who wanted to download a VPN.
The cybercrime group created a well-designed fake website that offered supposed VPN software. It most likely reaches your audience with the power of targeted messaging, sending them links to your website.
Anyone who tries to download the software from an Android phone will be hacked.
What kind of data can they collect?
The hack installs spyware in the form of apps on victims’ phones.
This allows cybercriminals to access sensitive information such as usernames, passwords, SMS messages and even people’s current location.
Virtually all information on someone’s phone becomes available in this attack.
Bahamut appears to collect sensitive or embarrassing information about users, which it can use for blackmail purposes. The motives are still unclear.
None of the infected apps are available on the Google Play Store. Users have to download them through the malicious website masquerading as a legitimate VPN service.
Yet, because the website is so polished, the victims’ suspicions are not aroused.
What is spyware?
“Spyware” is a collection of espionage and software. It is a type of passive cyberattack that allows criminals to monitor someone’s activity.
Hackers install software on a victim’s device that allows them to collect personal information.
The hacker can see the user’s online behavior – such as which websites they visit and keystrokes they use the most – and use this data for profit.
Spyware can take screenshots of someone’s online activity and can collect information such as login credentials, credit card numbers, account PINs and email addresses.
In the case of the Bahamut VPN scheme, users download the app and enter an activation key. The spyware becomes active when they do this.
How to avoid Bahamut’s latest scheme
Install antivirus software on your phone if you are an Android user. Be careful with apps you have to download from a third-party site.
Also, never open links from unknown email accounts, as these can lead to malicious websites that install spyware or lure you into a phishing scam.
Even if a website looks legitimate, be aware that it could be a case of website spoofing, as anyone can create a professional-looking website.
Following these common sense online safety tips should keep you out of Bahamut’s sinister grasp.
Do you have any thoughts on this? Transfer the discussion to ours Twitter or Facebook.
Editors’ recommendations:
