New SandStrike spyware infects Android devices via malicious VPN app - BleepingComputer

Threat actors are utilizing recently discovered spyware known arsenic SandStrike and delivered via a malicious VPN exertion to people Android users.

They absorption connected Persian-speaking practitioners of the Baháʼí Faith, a religion developed successful Iran and parts of the Middle East.

The attackers are promoting the malicious VPN app arsenic a elemental mode to circumvent censorship of spiritual materials successful definite regions.

To dispersed it, they usage societal media accounts to redirect potential victims to a Telegram transmission that would supply them with links to download and instal the booby-trapped VPN.

"To lure victims into downloading spyware implants, the SandStrike adversaries acceptable up Facebook and Instagram accounts with much than 1,000 followers and designed charismatic religious-themed materials, mounting up an effectual trap for adherents of this belief," Kaspersky said.

"Most of these societal media accounts incorporate a nexus to a Telegram transmission besides created by the attacker."

While the app is afloat functional and adjacent uses its ain VPN infrastructure, the VPN lawsuit besides installs the SandStrike spyware, which scours their devices for delicate information and exfiltrates it to its operators' servers.

This malware volition bargain assorted types of accusation similar telephone logs and interaction lists and volition besides show compromised Android devices to assistance its creators support way of the victims' activity.

Middle East malicious enactment recap

Security researchers who spotted the malware successful the chaotic are yet to pin its improvement connected a circumstantial menace group.

On Tuesday, Kaspersky besides published its APT trends study for Q3 2022, highlighting much absorbing discoveries linked to malicious enactment successful the Middle East.

The institution highlights a caller IIS backdoor known arsenic FramedGolf deployed successful attacks targeting Exchange servers not patched against ProxyLogon-type information flaws.

"The malware has been utilized to compromise astatine slightest a twelve organizations, starting successful April 2021 astatine the latest, with astir inactive compromised successful precocious June 2022," Kaspersky revealed.

In September, the institution besides shared investigation connected a recently recovered malware level dubbed Metatron used against telecom companies, net work providers, and universities crossed Africa and the Middle East.

Kaspersky says Metatron "is a modular implant boot-strapped done a Microsoft Console Debugger script" that comes with "multiple transport modes and offers forwarding and larboard knocking features."