Since at least 2017, a threat actor involved in cyberespionage activities has been enticing victims with phony VPN software for Android that is a trojanized version of reliable products, SoftVPN and OpenVPN. Researchers said that the effort was “highly targeted” and was designed to gather contact and call information, device location information, as well as messages from other applications.
The operation has been linked to an advanced threat actor identified as Bahamut, which is thought to be offering hack-for-hire services. Lukas Stefanko, a malware expert at ESET, claims that Bahamut repackaged the OpenVPN and SoftVPN programs for Android with malicious code that has surveillance capabilities. By doing this, the actor ensured that the victim would still be able to use the VPN capability of the app even when sensitive data was being stolen from the mobile device.
Bahamut developed a phony website [thesecurevpn] to disseminate their harmful program while using the name SecureVPN, a legal VPN service, to conceal their activity and give them some legitimacy. Stefanko claims that the fake VPN program used by the hackers can steal contacts, call records, location information, SMS, and the contents of talks taking place on messaging services, including Facebook Messenger, Signal, Viber, WhatsApp, and Telegram.
ESET’s researcher found that the spying VPN program from Bahamut has eight iterations, all of which have chronological version numbers that indicate ongoing development. All the fraudulent apps had code only seen in Bahamut-attributed operations in the past, such as the SecureChat campaign that cybersecurity firms Cyble and CoreSec360 had recorded [1, 2].
A further sign of the operation’s targeted character is that none of the trojanized VPN versions were accessible through Google Play, the official repository for Android resources. Although the first dissemination vector’s mechanism is unknown, it might involve everything from email phishing to social media scams to other forms of contact.
When journalists from the investigative group Bellingcat released a piece about the espionage actor focusing on Middle Eastern human rights activists in 2017, details regarding Bahamut operations became public knowledge. It is difficult to link Bahamut to other threat actors since the organization frequently switches strategies, heavily relies on publicly accessible resources, and doesn’t target any one area.
The group “appears to be not only well-funded and well-resourced, but also well-versed in security research and the cognitive biases analysts often possess,” BlackBerry experts write in a detailed report on Bahamut published in 2020. Bahamut has ties to the threat actor organizations Windshift and Urpage.