• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
RestorePrivacy

RestorePrivacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Skiff Mail Review
    • Runbox Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • NordVPN vs Surfshark
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Skiff Mail Review
    • Runbox Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • NordVPN vs Surfshark
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

Hackers Target Users with Trojanized VPN Apps that Are Spyware

November 23, 2022 By Heinrich Long — 3 Comments
Hackers Trojan VPN Apps Spyware

ESET researchers have discovered a new campaign attributed to the Bahamut APT (advanced persistent threat), which uses a VPN app as a lure to infect targets with Android spyware.

Bahamut is a cyberespionage threat group that has been operational since 2017, targeting primarily the Middle East and South Asia.

The VPN apps used by the Bahamut hackers are trojanized versions of SoftVPN and OpenVPN, distributed through a fake SecureVPN site where victims end up after clicking on links embedded in phishing emails.

Fake ‘SecureVPN’ site distributing the malicious VPN app
ESET

The downloaded APK files install the usable VPN application, but they also infect the devices with spyware capable of exfiltrating SMS, tracking location, and recording phone calls.

Additionally, the spyware can intercept all communications on otherwise secure instant messaging apps like Signal, Viber, WhatsApp, Telegram, and Messenger.

VPN Spyware Details

ESET’s analysts were able to sample eight different versions of the spyware, following a progressive version numbering that indicates gradual development.

Earlier versions were based on SoftVPN, while later versions are based on the legitimate open-source application OpenVPN, which has over 10 million downloads on Google Play.

Likely, the threat actor was forced to pick up the latter when SoftVPN stopped working and made server connectivity unreliable, threatening to compromise the operation.

Both contain the same malicious code, with only minor refactoring and optimizations that don’t impact the spyware’s core functionality.

The spyware will only activate if a valid key is provided from the server side, meaning that the threat actors have validated the target and enabled the app remotely.

When activated, the app can steal the following data:

  • contacts
  • SMS messages
  • call logs
  • a list of installed apps
  • device location
  • device accounts
  • device info (type of internet connection, IMEI, IP, SIM serial number)
  • recorded phone calls
  • a list of files on external storage

The fake VPN app also requests access to Accessibility services upon installation, which it abuses to perform screen actions and view the content of secure screens, normally hidden from remote connections.

This enables the spyware to steal notes from SafeNotes, Messenger, Viber, Signal, WhatsApp, Telegram, WeChat, and Conion.

Stolen data is stored locally on a database created by the malicious app and sent to the command and control server when the threat actors choose.

ESET attributes the bogus SecureVPN campaign to Bahamut after comparing the code class structure and SQL query with Bahamut malware seen in past campaigns and noticing extensive similarities.

Class structure comparison between older Bahamut malware (left) and SecureVPN app spyware (right)
ESET

While this threat group has been predominately targeting users in South Asia, it doesn’t mean that it’s unlikely to focus on other parts of the world if its espionage goals change.

Free VPN apps are notoriously risky. A landmark study examining 270 free Android VPN apps found that 38% contained malware and roughly 82% of the apps attempted to access the user’s sensitive data. While there are reputable free VPNs that operate on the freemium business model, such as with Proton VPN and Atlas VPN, it is still wise to proceed with caution, especially given the amount of trust that one places in a VPN service.

Users are advised to be cautious of messages asking them to download a VPN app, and always check the reputation of VPN vendors before installing anything that can snoop on their network traffic.

Related Articles:

  • Best VPN for Android in 2022 – These 4 Passed our Tests
  • YouTube Videos Lead to Sites with 100+ Apps that Hide Malware
  • ExpressVPN Clone Sites Infect Visitors with Redline Malware
  • What is Ransomware and What You Can Do About It

About Heinrich Long

Heinrich is an associate editor for RestorePrivacy and veteran expert in the digital privacy field. He was born in a small town in the Midwest (USA) before setting sail for offshore destinations. Although he long chafed at the global loss of online privacy, after Edward Snowden’s revelations in 2013, Heinrich realized it was time to join the good fight for digital privacy rights. Heinrich enjoys traveling the world, while also keeping his location and digital tracks covered.

Reader Interactions

Comments

  1. Cat Bat Rat

    November 23, 2022

    More and more people are feeling the need to use a VPN for a variety of reasons but not everyone can afford a VPN subscription and so millions resort to using a free VPN. This makes free VPN market for advertisers and data collectors as well as malicious actors very alluring. In fact there have been instances where a data breach at a free VPN service exposed sensitive information of millions of users.
    It is high time Google and Apple take stringent measures for quality control of free VPN applications on their app stores.
    There are so many free VPN applications that collect and harvest user data like Thunder VPN and Hola VPN. Many such VPNs are Chinese honeypots and we only know the tip of the iceberg. Data collection is a massive industry. Some credible sources and users based in China confirm heavy Chinese surveillance machinary within their home country and use of Chinese apps like their free VPN apps and apps like Tik tok for extensive data collection and surveillance of users outside China. This is state sponsored surveillance of innocent population which has nothing to do with the state and such data collection has geopolitical implications specially in these turbulent times.

    Free VPN’s I recommend are:
    Tunnelbear
    Adguard VPN
    Proton VPN
    Atlas VPN

    Some other not so good options,
    Windscribe
    Hide.me
    Hotspot shield and other siblings VPNs

    VPNs I do not recommend:
    All the rest of free VPNs specially those which are not reputed and trusted names as about 75 percent of free VPNs are Chinese honeypots.

    VPN is a necessary tool for preventing third party and even second party from knowing the geolocation and ip address of the user and prevents tracking by ip address which is very significant. It also confuses trackers by sharing IP address with other users and hides monitoring of your online activity by ISP and thus from not so reliable Government. VPN is a great addition and supplement to existing HTTPS security.
    Unblocking is a plus.
    VPN helps mitigate privacy invasion, tracking and surveillance and that is why dictatorial regimes and partially democratic republics like India hate VPNs.

    Reply
    • BoBeX

      November 24, 2022

      I agree.
      Societies should have a basic set of freedoms, including free access to the internet.

      Reply
    • PerhapsAPerson

      November 30, 2022

      I personally think Calyx VPN/Riseup VPN could be added to the list of good free VPNS.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browser
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN [63% Off Coupon] or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

RestorePrivacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

RestorePrivacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP