Beware of dangerous spyware masquerading as VPN apps

Android Police

Infected VPN apps can steal your data and spy on your chats

Malware on Android has been a recurring, almost omnipresent, problem despite Google’s best efforts to counter the spread. New research from cybersecurity firm ESET reveals that the infamous cyber-mercenary group Bahamut APT has found a new carrier for dangerous malware targeting Android phones — VPN apps.

As the cyber-mercenary tag suggests, Bahamut APT is a group bad actors could hire to launch spear phishing attacks. The group has been at it for a while, often targeting individuals in the Middle East and South Asia. According to ESET researchers, at least eight versions of Bahamut spyware were now discovered in trojanized versions of popular Android apps SoftVPN and OpenVPN. The group reportedly reused older spyware code to infect these malicious apps.

Bahamut APT has been in and out of the news since 2017 for attempts at cyber espionage attacks of varying scale. This one involving VPN apps is a fairly vanilla spyware attack designed to hack the victim’s device and access SMS, call logs, location, and call recordings. The spyware can spy on messaging apps like WhatsApp, and also extract other data like banking information using key logging.

Screenshots from the infected OpenVPN app and its distribution website

A spoofed version of the SecureVPN website was used to distribute all the infected apps, and they were never listed for download on the Play Store. These VPN apps seemed to target specific individuals, who were directed to the website with a specific activation key. The genuine version of the VPN doesn’t require an activation key or a visit the website — another red flag for potential victims. This key prevents the malicious payload from triggering on devices which don’t belong to the specifically targeted victim.

This revelation by the ESET team is just another glaring reminder one shouldn’t download apps from untrustworthy sources on the internet. The researchers say the campaign began in January this year, and is still active. If you’re looking to download a recommended VPN app, we suggest sticking with the Play Store, especially if someone sends you a link to download one somewhere else.