Hackers have been found using a deceptive Android chat app, known as ”SafeChat”, to conduct espionage on unsuspecting victims. The spyware embedded within this malicious app targets popular communication platforms like Signal and WhatsApp, extracting sensitive data such as call logs, texts, and GPS locations from infected smartphones.
Researchers have attributed this sophisticated hacking campaign to the Indian APT hacking group named ”Bahamut”, who have previously demonstrated a track record of using fake apps to steal user information.
SafeChat is a serious threat to privacy
The Android spyware embedded in the ”SafeChat” app has emerged as a significant threat to users of communication applications. The malware, suspected to be a variant of “Coverlm,” specifically targets popular messaging services like Telegram, Signal, WhatsApp, Viber, and Facebook Messenger. This allows the hackers to exploit vulnerabilities and extract valuable user data.
Bahamut’s latest attacks primarily employ spear phishing messages on WhatsApp. These messages serve as a delivery mechanism for the malicious payloads, enabling the spyware to infiltrate users’ devices seamlessly. Victims are lured into installing ”SafeChat” under the pretext of transitioning their conversations to a more secure platform, falling prey to the deceptive interface and registration process.
SafeChat employs social engineering tactics to appear as a legitimate chat app, thereby gaining the victim’s trust. Its user registration process adds credibility to the façade, while the acquisition of permissions to use the Accessibility Services plays a critical role in the infection process. By exploiting these permissions, the spyware gains access to the victim’s contacts list, SMS, call logs, external device storage, and precise GPS location data.
It does interact with other chat apps
A noteworthy aspect of the malware is its capability to interact with other chat applications already installed on the device. By utilizing intents and specific directories, the spyware can monitor and potentially extract data from these apps as well.
Once the spyware collects the stolen data, it is transferred to the attacker’s Command and Control (C2) server via port 2053. To evade detection, the stolen data is encrypted using RSA, ECB, and OAEPPadding. Additionally, the attackers employ a “letsencrypt” certificate to counter network data interception efforts against them.
Could be state-sponsored
Researchers from CYFIRMA have gathered enough evidence to link Bahamut’s activities to a specific state government in India. This conclusion is based on shared characteristics with another Indian state-sponsored threat group, the ”DoNot APT” (APT-C-35).
The overlapping use of certificate authorities, data stealing methodologies, and target scope all indicate a close collaboration between the two groups.