Hackers are utilizing a faux Android app named ‘SafeChat’ to contaminate gadgets with adware malware that steals name logs, texts, and GPS areas from telephones.
The Android adware is suspected to be a variant of “Coverlm,” which steals knowledge from communication apps akin to Telegram, Sign, WhatsApp, Viber, and Fb Messenger.
CYFIRMA researchers say the Indian APT hacking group ‘Bahamut’ is behind the marketing campaign, with their newest assaults performed primarily by way of spear phishing messages on WhatsApp that ship the malicious payloads on to the sufferer.
Additionally, the CYFIRMA’s analysts spotlight a number of TTP similarities to a different Indian state-sponsored menace group, the ‘DoNot APT’ (APT-C-35), that has beforehand infested Google Play with faux chat apps appearing as adware.
Late final 12 months, ESET reported that the Bahamut group was utilizing faux VPN apps for the Android platform that included intensive adware features.
Within the newest marketing campaign noticed by CYFIRMA, Bahamut targets people in South Asia.
“Protected Chat” particulars
Whereas CYFIRMA does not delve into the specifics of the social engineering facet of the assault, it’s normal for victims to be persuaded into putting in a chat app below the pretext of transitioning the dialog to a safer platform.
The analysts report that Protected Chat contains a deceiving interface that makes it seem as an actual chat app and in addition takes the sufferer by way of a seemingly professional consumer registration course of that provides credibility and serves as a wonderful cowl for the adware.
One important step within the an infection is the acquisition of permissions to make use of the Accessibility Providers, that are subsequently abused to robotically grant the adware extra permissions.
These further permissions allow the adware to entry to the sufferer’s contacts listing, SMS, name logs, exterior gadget storage, and fetch exact GPS location knowledge from the contaminated gadget.
The app additionally requests the consumer to approve exclusion from Android’s battery optimization subsystem, which terminates background processes when the consumer is not actively participating with the app.
“One other snippet from the Android Manifest file reveals that the menace actor designed the app to work together with different already put in chat functions,” explains CYFIRMA.
“The interplay will happen utilizing intents, OPEN_DOCUMENT_TREE permission will choose particular directories and entry apps talked about in intent.”
A devoted knowledge exfiltration module transfers info from the gadget to the attacker’s C2 server by way of port 2053.
The stolen knowledge is encrypted utilizing one other module that helps RSA, ECB, and OAEPPadding. On the similar time, the attackers additionally use a “letsencrypt” certificates to evade any community knowledge interception efforts towards them.
CYFIRMA concludes the report by saying that it holds sufficient proof to hyperlink Bahamut to engaged on behalf of a selected state authorities in India.
Additionally, utilizing the identical certificates authority because the DoNot APT group, comparable knowledge stealing methodologies, frequent concentrating on scope, and using Android apps to contaminate targets all point out overlap or shut collaboration between the 2 teams.