Hackers are using a fake Android chatting app called ‘SafeChat’ to steal data from targeted individuals in South Asia, including India, via malicious payload delivered directly through WhatsApp chat.
Cyber-security firm Cyfirma obtained advanced Android malware targeting individuals in the South Asia region. The suspicious Android malware is a dummy chatting app.
“Our initial technical analyses revealed that APT Bahamut is behind the attack. The nature of this attack, along with previous incidents involving APT Bahamut, possibly indicate that it was carried out to serve the interests of one nation-state government,” the report noted.
Notably, APT Bahamut has previously targeted Khalistan supporters, advocating for a separate nation, posing an external threat to India.
“The threat actor has also aimed at military establishments in Pakistan and individuals in Kashmir, all aligning with the interests of one nation state government,” the security researchers indicated.
The Android spyware is suspected to be a variant of “Coverlm,” which steals data from communication apps such as Telegram, Signal, WhatsApp, Viber, and Facebook Messenger.
This particular malware exhibits a similar operational mechanism to the previously identified malware (distributed through the Google Play Store by the notorious APT group known as ‘DoNot’).
However, the new malware has more permissions, and thus presents a higher level of threat.
After installation, a suspected app with the name “Safe Chat” appears on the main menu. After opening the app, the user is shown a landing page where the user is notified of operating a secure chatting app.
Upon opening the app, after fresh installation, the pop-up message instructs the user to allow permission, and the hackers’ game begins.
The user interface of this app successfully deceives users into believing its authenticity, allowing the threat actor to extract all the necessary information, before the victim realises that the app is a dummy.