An Indian APT group is reportedly infecting Android phones in South Asia with a spyware(a fake chat app), to steal sensitive data.
Dubbed Bahamut, the group’s TTPs are similar to those of another Indian APT, called DoNot APT. The Threat actor was found spreading their spyware through WhatsApp, on the pretext of a secure chat app. But in reality, the downloaded spyware will steal all identifiable information and data from other messenger apps if installed.
Bahamut’s Fake Android Apps
CYFIRMA researchers noted an Indian APT group called Bahamut is spreading a fake Android chat app – called Safe Chat, on the pretext of a secured messenger for communication. Threat actors here are conducting a spear phishing campaigns on WhatsApp to infect targets.
Once they get to install the Safe Chat app on target’s device – which comes with a variant of Coverlm malware, the app starts asking users for granting an extensive set of permissions to work. To make them believe as a real chat app, the Safe Chat will even let you register on a fake sign-up page.
But in the background, the malware unpacks to start it’s operations. Initially, the fake chat app asks for Accessibility permissions, which in turn are used for accessing contacts list, SMS, call logs, external device storage and fetch precise GPS location data from the infected device.
Further, it steals data from other communication apps like Telegram, Signal, WhatsApp, Viber and Facebook Messenger, if installed on the device. All the stolen data of such is transported to hacker’s C2 via port 2053 and the exfiltration path is secured by Let’s Encrypt certificates to avoid interception.
Also, the stolen data is encrypted using RSA, ECB, and OAEPPadding techniques to avoid detection. Researchers linked the threat actor to an unnamed state government in India, and also has links to the DoNot APT group, citing similar TTPs, stealing methodologies and targeting scope.
Other Trending News:- News
