Bahamut Spyware Group Compromises Android Devices Via Fake VPN Apps - Infosecurity Magazine

The Bahamut APT radical has been targeting Android users done a fake SecureVPN website since astatine slightest January 2022.

According to a caller advisory from Eset, the app utilized arsenic portion of this malicious run was a trojanized mentation of either of 2 morganatic VPN apps, SoftVPN oregon OpenVPN. In some instances, the apps were repackaged with Bahamut spyware code.

"We were capable to place astatine slightest 8 versions of these maliciously patched apps with codification changes and updates being made disposable done the organisation website, which mightiness mean that the run is good maintained," Eset wrote.

The information researchers explained that the superior intent of the app modifications was to exfiltrate delicate idiosyncratic information and spy connected victims' messaging apps.

In particular, the fake SecureVPN Android apps could extract delicate information specified arsenic SMS messages, contacts, telephone logs, instrumentality determination and recorded telephone calls.

They besides enabled the spying of chat messages connected respective messaging apps, including WhatsApp, Signal, Viber, Telegram and Facebook Messenger.

Data exfiltration is performed via the keylogging functionality of the malware, which relies connected Android's accessibility services. Eset suggested that the run appears highly targeted, arsenic the institution did not announcement immoderate instances successful their telemetry data.

"We judge that targets are cautiously chosen since erstwhile the Bahamut spyware is launched, it requests an activation cardinal earlier the VPN and spyware functionality tin beryllium enabled. Both the activation cardinal and website nexus are apt sent to targeted users," reads the technical write-up.

Despite this, the advisory highlights that the Bahamut APT group, progressive since astatine slightest 2017, typically targets companies and individuals successful the Middle East and South Asia.

"Bahamut specializes successful cyberespionage, and we judge its extremity is to bargain delicate accusation from its victims," Eset wrote. "Bahamut is besides referred to arsenic a mercenary radical offering hack-for-hire services to a wide scope of clients."

The company's advisory comes weeks aft information researchers astatine Zimperium discovered a caller Android spyware household dubbed 'RatMilad' trying to infect an endeavor instrumentality successful the Middle East.