A notorious cyber mercenary group is injecting Android devices with spyware to steal users’ conversations, a new method ESET Search (Opens in a new tab) Confirms.
These malicious attacks are launched by fake Android VPN Apps. Evidence indicates that hackers used malicious versions of SecureVPNAnd SoftVPN and OpenVPN.
Known as Bahamut ATP, the group is believed to be a service for hire that usually launches attacks through Spearfishing Fake messages and apps. According to previous reports, its hackers have been targeting organizations and individuals across the Middle East and South Asia since 2016.
Estimated to start in January 2022, ESET researchers believe the group’s campaign to distribute malicious material VPN networks Currently still going on.
From phishing emails to fake VPNs
said Lukáš Štefanko, the ESET researcher who first discovered it malware.
“In addition, the application requests an activation key before enabling the VPN and spyware functionality. It is likely that both the activation key and the website link will be sent to the targeted users.”
Once the app is activated, Bahamut hackers can remotely control the spyware, explains Štefanko. This means that they are able to infiltrate and harvest a lot of users’ sensitive data.
“The data is extracted through the keylogging functionality of malware, which abuses accessibility services,” he said.
From SMS messages, call logs, device locations, and any other details, to encrypted messaging apps like The WhatsAppAnd the cable or SignalThese cyber criminals can spy on virtually anything they find on victims’ devices without them knowing about it.
ESET has identified at least eight versions of these Trojans VPN serviceswhich means that the campaign is well-maintained.
It should be noted that there was no malware associated with the legitimate service, and none of the malware-infected apps were promoted on Google Play.
However, the initial distribution vector is still unknown. Looking back at how Bahamut ATP normally works, a malicious link has been sent via email, social media or SMS.
What do we know about Bahamut APT?
Although it is not clear who is behind it, the ATP in the Bahamut Islands appears to be a group of mercenary hackers as their attacks are not actually following a specific political interest.
Bahamut has been carrying out large scale cyber espionage campaigns since 2016, especially in the Middle East and South Asia region.
Investigative journalism group Bellingcat was the first to disclose its operations in 2017, describing how international and regional powers are actively involved in these surveillance operations.
“Hence, the Bahamut Islands are noteworthy as a vision of a future where modern communications have lowered barriers for smaller countries to conduct effective control over local dissidents and to extend themselves beyond their borders.” Bellingcat concluded (Opens in a new tab) in time.
The name of the group was then changed to Bahamut, after the giant fish that floats in the Arabian Sea described in Jorge Luis Borges’ book of Imaginary Beings.
Recently, another investigation highlighted how an advanced persistent threat (APT) group is increasingly running on mobile devices as a primary target.
Cyber security company Cyble first spotted this new trend this past April (Opens in a new tab)stating that the Bahamut group “plans its attack on the target, stays in the wilderness for a period of time, and allows its attack to affect many individuals and organizations, and finally steals their data.”
Also in this case, the researchers emphasized the ability of cybercriminals to develop a well-designed phishing website to deceive victims and gain their trust.
As confirmed by Lukáš Štefanko about the fake Android apps incident: “The spyware’s code, and hence its functionality, is the same as in previous campaigns, including collecting data to be leaked into a local database before it is sent to the operators’ server, a tactic rarely seen in Electronic espionage applications on mobile devices.
#Cyber #mercenary #group #Bahamut #strikes #fake #Android #VPN #apps