The Bahamut Cybermercenary Group Strikes Again Through Fake VPN Apps for Android

The Bahamut Cybermercenary Group Strikes Again Through Fake VPN Apps for Android

A nefarious group of cyber mercenaries is injecting spyware into Android devices to steal users' conversations, confirms new ESET research (opens in a new tab).

These malware attacks are launched via fake Android VPN apps. Evidence suggests that the hackers used malicious versions of the SecureVPN, SoftVPN, and OpenVPN software.

Known as Bahamut ATP, the group is seen as a service for hire that typically launches attacks via phishing messages and fake apps. According to previous reports, its hackers have been targeting both organizations and individuals in the Middle East and South Asia since 2016.

Estimated to have started in January 2022, ESET researchers believe that the malicious VPN distribution group's campaign is currently ongoing.

Malicious site to download fake SecureVPN app

(Image credit: ESET Research)

From phishing emails to fake VPNs

"The campaign appears to be highly targeted, as we don't see any cases in our telemetry data," said Lukáš Štefanko, the ESET researcher who discovered the malware.

"In addition, the app requests an activation key before the VPN functionality and spyware can be activated. The activation key and website link are likely to be sent to the targeted users."

Štefanko explains that once the app is activated, Bahamut hackers can control the spyware remotely. This means that they are capable of infiltrating and collecting a ton of sensitive user data.

"Data exfiltration is done through the malware's keylogging feature, which abuses accessibility services," he said.

Whether it's SMS messages, call logs, device locations, and any other details, or even encrypted messaging apps like WhatsApp, Telegram, or Signal, these cybercriminals can spy on virtually anything they find on victims' devices without their knowledge.

ESET has identified at least eight Trojan-infected versions of these VPN services, which means the campaign is well maintained.

It should be noted that in no case was malware associated with the legitimate service and none of the malware-infected apps were promoted on Google Play.

However, the initial distribution vector is still unknown. Looking at how Bahamut ATP normally works, a malicious link could have been sent via email, social media or SMS.

What do we know about Bahamut APT?

Although it is still unclear who is behind this, Bahamut ATP appears to be a mercenary hacker collective, as their attacks do not actually follow any specific political interest.

Bahamut has been running prolific cyber espionage campaigns since 2016, primarily in the Middle East and South Asia.

The investigative journalism group Bellingcat was the first to expose its operations in 2017, describing how international and regional powers have become actively involved in such surveillance operations.

"Bahamut is therefore notable as a vision of the future where modern communications have lowered the barriers for small countries to conduct effective surveillance of national dissidents and expand beyond their borders," Bellingcat concluded ( opens in a new tab) at that time.

Later, the group was renamed Bahamut, in honor of the giant fish that floats in the Arabian Sea described in Jorge Luis Borges' Book of Imaginary Beings.

artist rendering of a hacker

(Image credit: Shutterstock)

More recently, other research highlighted how the Advanced Persistent Threat (APT) group is increasingly turning to mobile devices as their primary target.

Cybersecurity firm Cyble first spotted this new trend last April (opens in a new tab), noting that the Bahamut group "plans its attack against the target, stays in the wild for a while, allows its attack affects many people and organizations, and ultimately steals their data.

Also in this case, the researchers highlighted the ability of cybercriminals to develop a phishing site so well designed to fool victims and gain their trust.

As confirmed by Lukáš Štefanko for the rogue Android apps incident: "The spyware code, and therefore its functionality, is the same as in previous campaigns, including the collection of data to be exfiltrated in a database." data before sending it to the operators' server, a tactic rarely seen in mobile cyber-espionage applications.