Jump to content
  • Hackers modify popular OpenVPN Android app to include spyware

    alf9872000

    • 346 views
    • 3 minutes
     Share


    • 346 views
    • 3 minutes

    A threat actor associated with cyberespionage operations since at least 2017 has been luring victims with fake VPN software for Android that is a trojanized version of legitimate software SoftVPN and OpenVPN.

     

    Researchers say that the campaign was "highly targeted" and aimed at stealing contact and call data, device location, as well as messages from multiple apps.

    VPN service impersonation

    The operation has been attributed to an advanced threat actor tracked as Bahamut, which is believed to be a mercenary group providing hack-for-hire services.

     

    ESET malware analyst Lukas Stefanko says that Bahamut repackaged the SoftVPN and OpenVPN apps for Android to include malicious code with spying functions.

     

    By doing this, the actor ensured that the app would still provide VPN functionality to the victim while exfiltrating sensitive information from the mobile device.

     

    To hide their operation and for credibility purposes, Bahamut used the name SecureVPN (which is a legitimate VPN service) and created a fake website [thesecurevpn] to distribute their malicious app.

     

    BahamutTheSecureVPNsite.png

    Bahamut's fake SecureVPN website - source: ESET

     

    Stefanko says that the hackers' fraudulent VPN app can steal contacts, call logs, location details, SMS, spy on chats in messaging apps like Signal, Viber, WhatsApp, Telegram, and Facebook's Messenger, as well as collect a list of files available in external storage.

     

    ESET's researcher discovered eight versions of Bahamut's spying VPN app, all with chronological version numbers, suggesting active development.

     

    All fake apps included code observed only in operations attributed to Bahamut in the past, such as the SecureChat campaign documented by cybersecurity companies Cyble and CoreSec360 [12].

     

    BahamutSQLquery_SecureChat-SecureVPN.jpg

    SQL queries Bahamut used in its malicious SecureChat and SecureVPN apps - source: ESET

     

    It is worth noting that none of the trojanized VPN versions were available through Google Play, the official repository for Android resources, another indication of the targeted nature of the operation.

     

    The method for the initial distribution vector is unknown but it could be anything from phishing over email, social media, or other communication channels.

     

    Details about Bahamut operations emerged in the public space in 2017 when journalists at the investigative group Bellingcat published an article about the espionage actor targeting Middle Eastern human rights activists.

     

    Connecting Bahamut to other threat actors is a tall order considering that the group relies greatly on publicly available tools, constantly changes tactics, and its targets are not in a particular region.

     

    However, BlackBerry researchers note in an extensive report on Bahamut in 2020 that the group " appears to be not only well-funded and well-resourced, but also well-versed in security research and the cognitive biases analysts often possess."

     

    Some threat actor groups Bahamut has been associated with include Windshift and Urpage.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...