The Android operating system is desirable because of its openness and wide variety of free apps in its content store. No, and despite the fact that the attack vector in this case is not the Play Store, this opening makes it a tempting target for miscreants, a reality exacerbated by its worldwide user base, potential targets.
ESET’s team of researchers has revealed the latest case of Android malware. The European entity, which specializes in cyber security, has identified an active campaign targeting Android users.
The malicious application used was a “Trojan” version of one of the two legitimate VPN applications, SoftVPN and OpenVPN.
This same campaign is being carried out by the Bahamut malicious group, and the main target of the spyware campaign is Sensitive data theft of users. This, in addition to the spying activities on popular messaging apps, raises major concerns. Among the targeted platforms are services such as The WhatsApp🇧🇷 Facebook messengerSignal, Viber, and cable🇧🇷
More specifically, at various times the application used was a “Trojan horse” version of one of the two legitimate VPN applications, SoftVPN and OpenVPN. Either way, the app is customized with Spying programs Bahamut group of islands.
The security agency warns that at least eight versions of these malicious apps are required for code changes. Depending on the information, it is updated through the distribution site.
That is, both properties that reveal a Well organized campaign Which has been active since the beginning of 2022.
However, none of the malicious apps were available for download from the Google Play Store. It should be noted that the method of distributing applications with spyware reveals, as a rule, an organized campaign.
The group’s spyware apps are distributed through a fake SecureVPN website that only provides “Trojan” Android apps for download. This website is not associated with legitimate cross-platform SecureVPN software and services.
Spyware aims to steal information from WhatsApp, Facebook Messenger, Signal, Viber and Telegram
Main The goal of the campaign is to steal communicationsSMS messages, recorded phone calls. This is in addition to chat messages from messaging apps like WhatsApp, Facebook Messenger, Signal, Viber, and Telegram.
However, according to the agency, these are likely highly targeted infiltration attempts. The malicious application requests an activation key before activating the VPN and spyware functionality.
Both the access key and the fake website link are likely to be sent directly to specific target users. This layer of security is intended to protect a malicious payload from becoming active immediately upon being sent to an unintended end device or upon parsing.
The investigation revealed a similar method of protection in another expedition by the Bahamut Islands group.
Data theft is the main purpose of this Android malware
All deviant data is stored in a local database and then forwarded to a command and control (C&C) server.
The collection’s spyware functionality includes the ability to update the malicious application when it receives a link to a new version of the command and control server.
Spearphishing messages and fake apps are commonly used by the Bahamut group as the initial attack vector against entities and individuals in the Middle East and South Asia.
In the case of this campaign, the initial distribution vector was not yet known. The Bahamut Islands specialize in cyber espionage and are referred to as a group of mercenaries with unauthorized access services for pay to various clients.
4gnews editors recommend: