ESET discovers active campaign targeting Android users

Tue, 29th Nov 2022

FYI, this story is more than a year old

ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut APT group. This campaign has been ongoing since the start of this year, the researchers state.

Malicious spyware apps are distributed through a fake SecureVPN website that provides only trojanised Android apps to download. This website has no association whatsoever with the legitimate, multi-platform SecureVPN software and service, according to ESET.

Malicious apps used in this campaign are able to exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as WhatsApp, Facebook Messenger, Signal, Viber, and Telegram.

ESET researchers discovered at least eight versions of the Bahamut spyware, which could mean the campaign is well-maintained. The malicious apps were never available for download from Google Play.

“The data exfiltration is done via the keylogging functionality of the malware, which misuses accessibility services. The campaign appears to be highly targeted, as we see no instances in our telemetry data,” explains ESET researcher Luk tefanko, who discovered and analysed the dangerous Android malware.

“Additionally, the app requests an activation key before the VPN and spyware functionality can be enabled. Both the activation key and website link are likely sent to targeted users,” adds tefanko.

This layer aims to protect the malicious payload from being triggered right after launch on a non-targeted user device or when being analysed. ESET Research has already seen similar protection being used in another campaign by the Bahamut group, the company said in a statement.

All exfiltrated data is stored in a local database and then sent to the Command and Control (C&C) server. The Bahamut spyware functionality includes the ability to update the app by receiving a link to a new version from the C&C server.

If the Bahamut spyware is enabled, it can be remotely controlled by Bahamut operators and can exfiltrate various sensitive device data. This includes contacts, SMS messages, call logs, a list of installed apps, device location, device accounts, device info (type of internet connection, IMEI, IP, SIM serial number), recorded phone calls, and a list of files on external storage.

By misusing accessibility services, the malware can steal notes from the SafeNotes application and actively spy on chat messages and information about calls from popular messaging apps, such as imo-International Calls & Chat, Facebook Messenger, Viber, Signal Private Messenger, WhatsApp, Telegram, WeChat, and Conion apps.

The Bahamut APT group typically uses spearphishing messages and fake applications as the initial attack vector, against entities and individuals in the Middle East and South Asia. Bahamut specialises in cyber-espionage, and ESET Research believes that its goal is to steal sensitive information from its victims.

Bahamut is also referred to as a mercenary group offering hack-for-hire services to a wide range of clients. The name was given to this threat actor, which appears to be a master in phishing, by the Bellingcat investigative journalism group.

Bellingcat named the group after the enormous fish floating in the vast Arabian Sea mentioned in the Book of Imaginary Beings written by Jorge Luis Borges. Bahamut is frequently described in Arabic mythology as an unimaginably enormous fish, ESET states.