ESET researchers have discovered a new campaign attributed to the Bahamut APT (advanced persistent threat), which uses a VPN app as a lure to infect targets with Android spyware.
Bahamut is a cyberespionage threat group that has been operational since 2017, targeting primarily the Middle East and South Asia.
The VPN apps used by the Bahamut hackers are trojanized versions of SoftVPN and OpenVPN, distributed through a fake SecureVPN site where victims end up after clicking on links embedded in phishing emails.
The downloaded APK files install the usable VPN application, but they also infect the devices with spyware capable of exfiltrating SMS, tracking location, and recording phone calls.
Additionally, the spyware can intercept all communications on otherwise secure instant messaging apps like Signal, Viber, WhatsApp, Telegram, and Messenger.
VPN Spyware Details
ESET’s analysts were able to sample eight different versions of the spyware, following a progressive version numbering that indicates gradual development.
Earlier versions were based on SoftVPN, while later versions are based on the legitimate open-source application OpenVPN, which has over 10 million downloads on Google Play.
Likely, the threat actor was forced to pick up the latter when SoftVPN stopped working and made server connectivity unreliable, threatening to compromise the operation.
Both contain the same malicious code, with only minor refactoring and optimizations that don’t impact the spyware’s core functionality.
The spyware will only activate if a valid key is provided from the server side, meaning that the threat actors have validated the target and enabled the app remotely.
When activated, the app can steal the following data:
- SMS messages
- call logs
- a list of installed apps
- device location
- device accounts
- device info (type of internet connection, IMEI, IP, SIM serial number)
- recorded phone calls
- a list of files on external storage
The fake VPN app also requests access to Accessibility services upon installation, which it abuses to perform screen actions and view the content of secure screens, normally hidden from remote connections.
Stolen data is stored locally on a database created by the malicious app and sent to the command and control server when the threat actors choose.
ESET attributes the bogus SecureVPN campaign to Bahamut after comparing the code class structure and SQL query with Bahamut malware seen in past campaigns and noticing extensive similarities.
While this threat group has been predominately targeting users in South Asia, it doesn’t mean that it’s unlikely to focus on other parts of the world if its espionage goals change.
Free VPN apps are notoriously risky. A landmark study examining 270 free Android VPN apps found that 38% contained malware and roughly 82% of the apps attempted to access the user’s sensitive data. While there are reputable free VPNs that operate on the freemium business model, such as with Proton VPN and Atlas VPN, it is still wise to proceed with caution, especially given the amount of trust that one places in a VPN service.
Users are advised to be cautious of messages asking them to download a VPN app, and always check the reputation of VPN vendors before installing anything that can snoop on their network traffic.