Hackers are employing a fraudulent Android app named ‘SafeChat’ to distribute spyware malware, which pilfers call logs, text messages, and GPS locations from mobile phones.
The Android spyware is believed to be a variant of “Coverlm,” known for stealing data from communication apps like Telegram, Signal, WhatsApp, Viber, and Facebook Messenger.
Researchers from CYFIRMA have linked the Indian APT hacking group ‘Bahamut’ to this campaign, with most attacks executed through spear phishing messages on WhatsApp that directly deliver malicious payloads to victims.
The analysts at CYFIRMA have observed similarities in Tactics, Techniques, and Procedures (TTP) to another Indian state-sponsored threat group called ‘DoNot APT’ (APT-C-35), which previously infected Google Play with fake chat apps acting as spyware.
Last year, ESET reported Bahamut using fake VPN apps for Android, which concealed extensive spyware capabilities.
In this recent campaign identified by CYFIRMA, Bahamut targets individuals in South Asia.
Though CYFIRMA doesn’t delve into the social engineering aspect of the attack, it is typical for victims to be persuaded into installing a chat app under the pretext of shifting to a more secure platform.
The Safe Chat app deceives users with an interface that resembles a genuine chat app and guides victims through a seemingly legitimate user registration process, enhancing its credibility and masking the spyware’s true intentions.
One crucial stage of infection involves obtaining permissions to use Accessibility Services, which are then exploited to automatically grant the spyware additional permissions.
These permissions enable the spyware to access the victim’s contacts list, SMS, call logs, external device storage, and fetch precise GPS location data from the compromised device.
The app also requests the user’s approval to exclude itself from Android’s battery optimization subsystem, which prevents background processes from terminating when the user isn’t actively using the app.
