The Bahamut APT group has been targeting Android users through a fake SecureVPN website since at least January 2022.
According to a new advisory from Eset, the app used as part of this malicious campaign was a trojanized version of either of two legitimate VPN apps, SoftVPN or OpenVPN. In both instances, the apps were repackaged with Bahamut spyware code.
“We were able to identify at least eight versions of these maliciously patched apps with code changes and updates being made available through the distribution website, which might mean that the campaign is well maintained,” Eset wrote.
The security researchers explained that the primary purpose of the app modifications was to exfiltrate sensitive user data and spy on victims’ messaging apps.
In particular, the fake SecureVPN Android apps could extract sensitive data such as SMS messages, contacts, call logs, device location and recorded phone calls.
They also enabled the spying of chat messages on several messaging apps, including WhatsApp, Signal, Viber, Telegram and Facebook Messenger.
Data exfiltration is performed via the keylogging functionality of the malware, which relies on Android’s accessibility services. Eset suggested that the campaign appears highly targeted, as the company did not notice any instances in their telemetry data.
“We believe that targets are carefully chosen since once the Bahamut spyware is launched, it requests an activation key before the VPN and spyware functionality can be enabled. Both the activation key and website link are likely sent to targeted users,” reads the technical write-up.
Despite this, the advisory highlights that the Bahamut APT group, active since at least 2017, typically targets companies and individuals in the Middle East and South Asia.
“Bahamut specializes in cyberespionage, and we believe its goal is to steal sensitive information from its victims,” Eset wrote. “Bahamut is also referred to as a mercenary group offering hack-for-hire services to a wide range of clients.”
The company’s advisory comes weeks after security researchers at Zimperium discovered a new Android spyware family dubbed ‘RatMilad’ trying to infect an enterprise device in the Middle East.