Hackers are utilizing a faux Android app named ‘SafeChat’ to contaminate units with adware malware that steals name logs, texts, and GPS places from telephones.
The Android adware is suspected to be a variant of “Coverlm,” which steals information from communication apps equivalent to Telegram, Sign, WhatsApp, Viber, and Fb Messenger.
CYFIRMA researchers say the Indian APT hacking group ‘Bahamut’ is behind the marketing campaign, with their newest assaults performed primarily by way of spear phishing messages on WhatsApp that ship the malicious payloads on to the sufferer.
Additionally, the CYFIRMA’s analysts spotlight a number of TTP similarities to a different Indian state-sponsored menace group, the ‘DoNot APT’ (APT-C-35), that has beforehand infested Google Play with faux chat apps appearing as adware.
Late final 12 months, ESET reported that the Bahamut group was utilizing faux VPN apps for the Android platform that included intensive adware features.
Within the newest marketing campaign noticed by CYFIRMA, Bahamut targets people in South Asia.
“Secure Chat” particulars
Whereas CYFIRMA would not delve into the specifics of the social engineering side of the assault, it’s normal for victims to be persuaded into putting in a chat app below the pretext of transitioning the dialog to a safer platform.
The analysts report that Secure Chat encompasses a deceiving interface that makes it seem as an actual chat app and in addition takes the sufferer by way of a seemingly reliable person registration course of that provides credibility and serves as a superb cowl for the adware.
One important step within the an infection is the acquisition of permissions to make use of the Accessibility Companies, that are subsequently abused to robotically grant the adware extra permissions.
These extra permissions allow the adware to entry to the sufferer’s contacts record, SMS, name logs, exterior gadget storage, and fetch exact GPS location information from the contaminated gadget.
The app additionally requests the person to approve exclusion from Android’s battery optimization subsystem, which terminates background processes when the person is not actively partaking with the app.
“One other snippet from the Android Manifest file reveals that the menace actor designed the app to work together with different already put in chat functions,” explains CYFIRMA.
“The interplay will happen utilizing intents, OPEN_DOCUMENT_TREE permission will choose particular directories and entry apps talked about in intent.”
A devoted information exfiltration module transfers info from the gadget to the attacker’s C2 server by way of port 2053.
The stolen information is encrypted utilizing one other module that helps RSA, ECB, and OAEPPadding. On the similar time, the attackers additionally use a “letsencrypt” certificates to evade any community information interception efforts in opposition to them.
CYFIRMA concludes the report by saying that it holds sufficient proof to hyperlink Bahamut to engaged on behalf of a particular state authorities in India.
Additionally, utilizing the identical certificates authority because the DoNot APT group, comparable information stealing methodologies, widespread concentrating on scope, and the usage of Android apps to contaminate targets all point out overlap or shut collaboration between the 2 teams.