The Bahamut APT group has been targeting Android users via fake SecureVPN websites since at least January 2022.
According to new recommendations from EssetThe apps used as part of this malicious campaign were trojanized versions of one of two legitimate VPN apps, SoftVPN or OpenVPN. In both cases the app was repackaged with the Bahamut spyware code.
“We were able to identify at least eight versions of these apps that were maliciously patched, with code changes and updates made available through the distribution website. could mean that,” writes Eset.
Security researchers explained that the main purpose of the app modification was to steal sensitive user data and spy on the victim’s messaging app.
In particular, fake SecureVPN Android apps can extract sensitive data such as SMS messages, contacts, call history, device location, and recorded calls.
It also enabled spying on chat messages on several messaging apps like WhatsApp, Signal, Viber, Telegram, Facebook Messenger, etc.
Data exfiltration is performed via the malware’s keylogging functionality, which relies on Android’s accessibility services. Eset suggested the campaign was highly targeted as no instances were found in his telemetry data.
“We believe our targets are carefully chosen because when Bahamut Spyware is launched, it asks for an activation key before enabling VPN and spyware functionality. It may be sent to your target audience.” technical writing.
Nonetheless, the advisory highlights that the Bahamut APT group, active since at least 2017, typically targets companies and individuals in the Middle East and South Asia.
“Bahamut specializes in cyber espionage and believes its purpose is to steal sensitive information from victims,” writes Eset. “Bahamut is also known as a mercenary group that provides hack-for-hire services to a wide range of clients.”
The company’s advisory comes a few weeks after security researchers at Zimperium discovered a new Android spyware family. “Rat Milad” Attempting to infect enterprise devices in the Middle East.