Cyber Security Threat Summary:
Hackers are using a fake Android app named 'SafeChat' to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones. The Android spyware is suspected to be a variant of "Coverlm," which steals data from communication apps such as Telegram, Signal, WhatsApp, Viber, and Facebook Messenger. CYFIRMA researchers say the Indian APT hacking group 'Bahamut' is behind the campaign, with their latest attacks conducted mainly through spear phishing messages on WhatsApp that send the malicious payloads directly to the victim. Also, the CYFIRMA's analysts highlight several TTP similarities to another Indian state-sponsored threat group, the 'DoNot APT' (APT-C-35), that has previously infested Google Play with fake chat apps acting as spyware. Late last year, ESET reported that the Bahamut group was using fake VPN apps for the Android platform that included extensive spyware functions. In the latest campaign observed by CYFIRMA, Bahamut targets individuals in South Asia.

Security Officer Comments:
Although it is unclear how victims are being socially engineered into installing the malicious application, Bahamut has a history of creating fake personas on Facebook and Instagram, pretending to be recruiters, journalists, and much more to trick unsuspecting victims into downloading malware on their devices. Upon installing SafeChat, users are presented with a legitimate app sign-in/sign-up prompt which is a tactic employed to cover up for the spyware. From here app will request permission to use the Accessibility Services, which will enable the spyware to access the victim's contacts list, SMS, call logs, external device storage, and fetch precise GPS location data from the infected device. The app will also request the user to exclude it from Android’s battery optimization subsystem which is designed to terminate background processes when the user isn’t actively engaging with the app.

According to researchers, the malicious app is designed to interact with chatting applications installed on the device, further enabling it to monitor and exfiltrate data from the targeted applications to an attacker-controlled C2 server via port 2053. “The stolen data is encrypted using another module that supports RSA, ECB, and OAEPPadding. At the same time, the attackers also use a "letsencrypt" certificate to evade any network data interception efforts against them” (Bleeping Computer, 2023).

Suggested Correction(s):
Be wary of messages from unknown users on applications like Facebook and WhatsApp pretending to be recruiters and other fake personas. With Bahamut using these chatting applications to seek out victims, users should avoid clicking on links or requests to install software, as this will allow threat actors to infect the victim with malicious payloads such as spyware, giving the attackers full access to the device.

Link(s):
https://www.bleepingcomputer.com/