Fake VPNs are currently on Android! These malicious applications contain spyware responsible for stealing a large amount of personal data, including in SMS and instant messaging.

Fake VPNs are currently on Android These malicious applications contain

Fake VPNs are currently on Android! These malicious applications contain spyware responsible for stealing a large amount of personal data, including in SMS and instant messaging.

We repeat it too often, but the Internet is full of dangers! Every week, new threats appear, whether for computers or mobiles. Hackers are redoubled in their ingenuity and have no qualms about stealing valuable personal data, which fetches high prices on the black market of the Net. ESET cybersecurity researchers have just discovered a new campaign currently active which targets Android users in order to steal sensitive information from them by spying on their every move. Launched last January by the group of hackers Bahamut APT, it consists of infecting mobiles using fake applications posing as legitimate VPNs. In truth, they contain spyware that steals a lot of personal data… including in text messages and instant messaging applications!

Fake VPN: Android apps infected with spyware

Bahamut APT is a well-known mercenary hacker group in cyber security services, which usually launches attacks through phishing messages and fake apps. Typically, they target both organizations and individuals, especially in the Middle East and South Asia – but this time around Europe is in their sights. They don’t seem to be driven by any particular political interest, only by the money that their clients give them.

ESET researchers discovered a fake website called TheSecureVPN[.]com – which obviously has nothing to do with the real SecureVPN – providing plenty of Android apps to download. To each time, the fake VPNs – eight versions have been discovered so far – are based on SoftVPN or OpenVPN, legitimate applications to which the hackers have added malicious code which is used to activate malware – a technique already used by Bahamut in the past . The technique is very smart because, upon installation, the malware is inactive, which makes the app pass security defenses without problems. The victim must enter an activation key to be able to use the functions of the VPN, which therefore activates the spyware at the same time.

Bahamut malware: the data thieves

Speaking of technique, it is she who makes ESET believe that the campaign is not targeting random victims, but specific people. “The campaign appears to be very targeted, as we don’t see any instances in our telemetry data”explains Lukáš Štefanko, one of the two researchers. “Additionally, the app asks for an activation key before it can use the VPN and spyware features. The activation key and website link are likely sent to the targeted users.” The applications are therefore not available on the Play Store – this is the first time – the victims go to the fake site from emails, SMS, instant messaging or via social networks.

Once the application is activated, hackers can remotely control the virus. They then only have to infiltrate and help themselves. Their main goal is to steal all possible sensitive data, like contacts, SMS messages, call logs, device location, device information (internet connection type, IMEI, IP, SIM serial number ), recorded phone calls, list of installed apps, saved accounts, and a list of files on external storage. By taking advantage of accessibility permissions, they can also steal what is written in the SafeNots app and the messages exchanged in the very popular messaging apps, namely Signal, Viber, WhatsApp, Telegram, Facebook Messenger, WeChat, Calls & Cat and Conion. All data is sent to a local database and then to the command and control server. This is why it is essential not to download applications that are not in the official store of the mobile – already that is not enough to avoid viruses and hacking -, even more when the device issues a warning to the facility.

google-query-id=”CPCO4vTzxvsCFQbZ1QodMX8DzA” id=”optidigital-adslot-Content_1″ style=”display: block;”>

ccn5