ESET researchers have discovered a new campaign attributed to the Bahamut APT (advanced persistent threat), which uses a VPN app as a lure to infect targets with Android spyware.
Bahamut is a cyberespionage threat group that has been operational since 2017, targeting primarily the Middle East and South Asia.
The VPN apps used by the Bahamut hackers are trojanized versions of SoftVPN and OpenVPN, distributed through a fake SecureVPN site where victims end up after clicking on links embedded in phishing emails.
Fake ‘SecureVPN’ site distributing the malicious VPN app
The downloaded APK files install the usable VPN application, but they also infect the devices with spyware capable of exfiltrating SMS, tracking location, and recording phone calls.
Additionally, the spyware can intercept all communications on otherwise secure instant messaging apps like Signal, Viber, WhatsApp, Telegram, and Messenger.
VPN Spyware Details
ESET’s analysts were able to sample eight different versions of the spyware, following a progressive version numbering that indicates gradual development.
Earlier versions were based on SoftVPN, while later versions are based on the legitimate open-source application OpenVPN, which has over 10 million downloads on Google Play.
Likely, the threat actor was forced to pick up the latter when SoftVPN stopped working and made server connectivity unreliable, threatening to compromise the operation.
Both contain the same malicious code, with only minor refactoring and optimizations that don’t impact the spyware’s core functionality.
The spyware will only activate if a valid key is provided from the server side, meaning that the