A threat actor associated with cyberespionage operations since at least 2017 has been luring victims with fake VPN software for Android that is a trojanized version of legitimate software SoftVPN and OpenVPN.
Researchers say that the campaign was “highly targeted” and aimed at stealing contact and call data, device location, as well as messages from multiple apps.
VPN service impersonation
The operation has been attributed to an advanced threat actor tracked as Bahamut, which is believed to be a mercenary group providing hack-for-hire services.
ESET malware analyst Lukas Stefanko says that Bahamut repackaged the SoftVPN and OpenVPN apps for Android to include malicious code with spying functions.
By doing this, the actor ensured that the app would still provide VPN functionality to the victim while exfiltrating sensitive information from the mobile device.
To hide their operation and for credibility purposes, Bahamut used the name SecureVPN (which is a legitimate VPN service) and created a fake website [thesecurevpn] to distribute their malicious app.
Bahamut’s fake SecureVPN website source: ESET
Stefanko says that the hackers’ fraudulent VPN app can steal contacts, call logs, location details, SMS, spy on chats in messaging apps like Signal, Viber, WhatsApp, Telegram, and Facebook’s Messenger, as well as collect a list of files available in external storage.
ESET’s researcher discovered eight versions of Bahamut’s spying VPN app, all with chronological version numbers, suggesting active development.
All fake apps included code observed only in operations attributed to Bahamut in the past, such as the SecureChat campaign documented by cybersecurity companies Cyble and CoreSec360 [1, 2].
SQL queries Bahamut used in its malicious SecureChat and SecureVPN apps source: ESET
It is worth noting that none of the trojanized VPN versions were available through Google Play, the official repository for Android resources, another indication of the targeted nature of the operation.
The method for the initial distribution vector is unknown but it could be anything from phishing over email, social media, or other communication channels.
Details about Bahamut operations emerged in the public space in 2017 when journalists at the investigative group Bellingcat published an article about the espionage actor targeting Middle Eastern human rights activists.
Connecting Bahamut to other threat actors is a tall order considering that the group relies greatly on publicly available tools, constantly changes tactics, and its targets are not in a particular region.
However, BlackBerry researchers note in an extensive report on Bahamut in 2020 that the group ” appears to be not only well-funded and well-resourced, but also well-versed in security research and the cognitive biases analysts often possess.”
Some threat actor groups Bahamut has been associated with include Windshift and Urpage.