Android users targeted with spyware posing as fake VPN apps
- Monday, 28th November, 2022
- 11:31am
Android users in the Middle East and South Asia are being targeted by a government-linked group with spyware posing as VPN websites, according to a new report from ESET
Researchers determined the campaign has been running since January, and attributed it to the notorious Bahamut advanced persistent threat (APT) group. The organization did not respond to requests for comment about which country the APT is believed to be affiliated with.
The spyware is being distributed through a fake SecureVPN website with apps for Android. The malware has no association with SecureVPN but is being distributed through two two legitimate VPN apps – SoftVPN or OpenVPN – that are being repackaged with the Bahamut spyware code.
If the spyware is enabled, ESET said it can be controlled remotely by Bahamut operators to exfiltrate any information they want, including a user’s contacts, SMS messages, recorded phone calls, device location and even chat messages from apps like WhatsApp, Facebook Messenger, Signal, Viber, and Telegram.
ESET researcher Lukáš Štefanko said the data exfiltration is done via the keylogging functionality of the malware, which misuses accessibility services.
