As per a blog by the ESET cybersecurity research firm, the team has identified an active campaign targeting Android users. The campaign is reportedly conducted by the Bahamut APT group and has been active since January 2022.
How is malware distributed?
In this campaign, the “cybermercenary group” is distributing malicious apps through a fake SecureVPN website that provides only Android apps to download. The malware-laden apps employed through the website are said to use the same name – SoftVPN and OpenVPN – as the legitimate apps.
These fake versions of these apps are repackaged with Bahamut spyware code that the Bahamut group has used in the past to attack people. ESET says they identified at least eight versions of these maliciously patched apps.
The main purpose of these apps is to extract sensitive user data and spy on victims’ messaging apps, the firm claims. These apps exfiltrate contacts, SMS messages, recorded phone calls and even chat messages from apps such as Signal, Viber, and Telegram.
“We believe that targets are carefully chosen, since once the Bahamut spyware is launched, it requests an activation key before the VPN and spyware functionality can be enabled. Both the activation key and website link are likely sent to targeted users,” it said in a blog post.
Bahamut APT group working
As per ESET, the Bahamut APT group targets entities and individuals in the Middle East and South Asia. The group specialises in cyber espionage is “also referred to as a mercenary group offering hack-for-hire services to a wide range of clients.” The mobile campaign by the group is reportedly still active.