![]() ![]() ![]() When activated, the app can steal the following data: The spyware will only activate if a valid key is provided from the server side, meaning that the threat actors have validated the target and enabled the app remotely. ![]() Likely, the threat actor was forced to pick up the latter when SoftVPN stopped working and made server connectivity unreliable, threatening to compromise the operation.īoth contain the same malicious code, with only minor refactoring and optimizations that don’t impact the spyware’s core functionality. VPN Spyware DetailsĮSET’s analysts were able to sample eight different versions of the spyware, following a progressive version numbering that indicates gradual development.Įarlier versions were based on SoftVPN, while later versions are based on the legitimate open-source application OpenVPN, which has over 10 million downloads on Google Play. ![]() The downloaded APK files install the usable VPN application, but they also infect the devices with spyware capable of exfiltrating SMS, tracking location, and recording phone calls.Īdditionally, the spyware can intercept all communications on otherwise secure instant messaging apps like Signal, Viber, WhatsApp, Telegram, and Messenger. Fake ‘SecureVPN’ site distributing the malicious VPN app The VPN apps used by the Bahamut hackers are trojanized versions of SoftVPN and OpenVPN, distributed through a fake SecureVPN site where victims end up after clicking on links embedded in phishing emails. ESET researchers have discovered a new campaign attributed to the Bahamut APT (advanced persistent threat), which uses a VPN app as a lure to infect targets with Android spyware.īahamut is a cyberespionage threat group that has been operational since 2017, targeting primarily the Middle East and South Asia. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |