In a concerning cyber attack, hackers have been discovered using a deceptive Android application, ‘SafeChat,’ to infiltrate devices with spyware malware. The malicious software is designed to pilfer call logs, text messages, and GPS locations from targeted smartphones.
The Android spyware appears to be a variant of the known “Coverlm” malware, notorious for extracting data from popular communication apps like Telegram, Signal, WhatsApp, Viber, and Facebook Messenger.
Researchers from CYFIRMA have identified the Indian APT hacking group ‘Bahamut’ as the mastermind behind this campaign. Their latest modus operandi involves spear-phishing messages sent via WhatsApp, delivering harmful payloads directly to unsuspecting victims.
CYFIRMA analysts have pointed out striking similarities between Bahamut’s tactics, techniques, and procedures (TTPs) and those of another Indian state-sponsored threat group known as ‘DoNot APT’ (APT-C-35). The latter had previously infected Google Play Store with fake chat apps acting as spyware.
Notably, Bahamut had employed counterfeit VPN apps for the Android platform, complete with extensive spyware functionalities, as reported by ESET late last year.
In this latest campaign observed by CYFIRMA, Bahamut focuses its attacks on individuals located in South Asia.
“Safe Chat” – An Elaborate Ruse
While CYFIRMA’s researchers have not delved into the social engineering aspect of the attack, it is common for victims to be lured into installing the chat app under the guise of transitioning to a more secure platform.
The devious Safe Chat app features a misleading interface, giving the appearance of a genuine chat application. It further manipulates victims by leading them through a seemingly legitimate user registration process, enhancing its credibility and serving as a cover for the embedded spyware.
A crucial step in the infection process involves acquiring permissions to use Accessibility Services, which are subsequently abused to grant the spyware further permissions.
These additional permissions grant the spyware access to the victim’s contact list, SMS messages, call logs, external device storage, and precise GPS location data from the compromised device. The app also requests the user’s approval to exclude it from Android’s battery optimization subsystem, ensuring continuous background processes even when the app is not actively used.
CYFIRMA’s investigation reveals that the threat actor designed Safe Chat to interact with other chat applications already installed on the victim’s device, using intents to access specific directories and target apps.
Furthermore, a dedicated data exfiltration module is employed to transfer stolen information from the infected device to the attacker’s Command and Control (C2) server through port 2053. The stolen data is encrypted using an RSA, ECB, and OAEPPadding-supported module, while the hackers cleverly use a “letsencrypt” certificate to evade interception of network data.
Bahamut’s State-Sponsored Activities
Based on substantial evidence, CYFIRMA has linked Bahamut to be operating on behalf of a specific state government in India. The shared use of the same certificate authority as the DoNot APT group, similar data-stealing methodologies, common targeting scope, and the utilization of Android apps to infect targets all suggest a close collaboration or overlap between the two groups.
The situation raises grave concerns about the security of communication apps and highlights the need for users to remain vigilant against downloading applications from unverified sources. As such state-sponsored hacking groups continue to develop sophisticated techniques, it becomes imperative for individuals and organizations to stay abreast of cybersecurity best practices to safeguard their sensitive data and privacy.