Hackers are utilizing a pretend Android app named ‘SafeChat’ to contaminate units with adware malware that steals name logs, texts, and GPS places from telephones.
The Android adware is suspected to be a variant of “Coverlm,” which steals knowledge from communication apps similar to Telegram, Sign, WhatsApp, Viber, and Fb Messenger.
CYFIRMA researchers say the Indian APT hacking group ‘Bahamut’ is behind the marketing campaign, with their newest assaults carried out primarily by way of spear phishing messages on WhatsApp that ship the malicious payloads on to the sufferer.
Additionally, the CYFIRMA’s analysts spotlight a number of TTP similarities to a different Indian state-sponsored menace group, the ‘DoNot APT’ (APT-C-35), that has beforehand infested Google Play with pretend chat apps appearing as adware.
Late final yr, ESET reported that the Bahamut group was utilizing pretend VPN apps for the Android platform that included in depth adware features.
Within the newest marketing campaign noticed by CYFIRMA, Bahamut targets people in South Asia.
“Protected Chat” particulars
Whereas CYFIRMA would not delve into the specifics of the social engineering facet of the assault, it’s normal for victims to be persuaded into putting in a chat app below the pretext of transitioning the dialog to a safer platform.
The analysts report that Protected Chat includes a deceiving interface that makes it seem as an actual chat app and likewise takes the sufferer by way of a seemingly legit consumer registration course of that provides credibility and serves as a superb cowl for the adware.
One important step within the an infection is the acquisition of permissions to make use of the Accessibility Companies, that are subsequently abused to robotically grant the adware extra permissions.
These further permissions allow the adware to entry to the sufferer’s contacts record, SMS, name logs, exterior machine storage, and fetch exact GPS location knowledge from the contaminated machine.
The app additionally requests the consumer to approve exclusion from Android’s battery optimization subsystem, which terminates background processes when the consumer is not actively partaking with the app.
“One other snippet from the Android Manifest file reveals that the menace actor designed the app to work together with different already put in chat purposes,” explains CYFIRMA.
“The interplay will happen utilizing intents, OPEN_DOCUMENT_TREE permission will choose particular directories and entry apps talked about in intent.”
A devoted knowledge exfiltration module transfers data from the machine to the attacker’s C2 server by way of port 2053.
The stolen knowledge is encrypted utilizing one other module that helps RSA, ECB, and OAEPPadding. On the similar time, the attackers additionally use a “letsencrypt” certificates to evade any community knowledge interception efforts in opposition to them.
CYFIRMA concludes the report by saying that it holds sufficient proof to hyperlink Bahamut to engaged on behalf of a particular state authorities in India.
Additionally, utilizing the identical certificates authority because the DoNot APT group, related knowledge stealing methodologies, widespread concentrating on scope, and the usage of Android apps to contaminate targets all point out overlap or shut collaboration between the 2 teams.
