A dangerous Android spyware app called ‘SafeChat’ has been discovered, raising alarm among cybersecurity experts. This malicious software is suspected to be a variant of the notorious “Coverlm” spyware, designed to steal sensitive data from communication apps, including Telegram, Signal, WhatsApp, Viber, and Facebook Messenger.
Researchers from CYFIRMA have identified the Indian APT hacking group ‘Bahamut’ as the perpetrators behind this cyber campaign, targeting victims in South Asia.
The Modus Operandi
The ‘SafeChat’ app employs social engineering tactics to deceive users into installing it on their devices. Victims are often lured into downloading the app under the pretext of enhanced security for their conversations.
Also Read: Sudanese hacktivist group targets Kenyan websites in Cyberattack spree
The app’s interface is cleverly designed to mimic a genuine chat app, and it even guides users through a seemingly legitimate registration process, adding credibility to its deceptive facade. Once installed, the spyware gains permissions to utilize Accessibility Services, which are then abused to grant the app additional permissions surreptitiously.
The Data Theft Process
Once granted expanded access, the spyware can pilfer a wide array of sensitive data from the infected device. This includes the victim’s contact list, call logs, SMS messages, and even precise GPS location data.
Also Read: Beware of this WhatsApp Vulnerability: How a single email can deactivate your account
To evade Android’s battery optimization system, the app cunningly requests users to exclude it, ensuring uninterrupted background processes. Moreover, ‘SafeChat’ is designed to interact with other chat applications on the device, a feature that allows it to access more data through intents and specific directories.
“The interaction will take place using intents, OPEN_DOCUMENT_TREE permission will select specific directories and access apps mentioned in intent”, explains CYFIRMA.
Data Exfiltration and Encryption
A dedicated data exfiltration module in the spyware facilitates the transfer of stolen data to the attacker’s Command and Control (C2) server via port 2053. To keep the pilfered information secure, the attackers use encryption techniques such as RSA, ECB, and OAEPPadding. Additionally, the use of a “letsencrypt” certificate enables them to evade any attempts at network data interception, adding an extra layer of protection to their malicious activities.
Link to State-Sponsored Activity
CYFIRMA’s investigation has uncovered substantial evidence linking ‘Bahamut’ to a specific state government in India. Moreover, the similarities between the certificate authority used by the ‘Bahamut’ group and another state-sponsored threat group, ‘DoNot APT,’ suggest a possible overlap or close collaboration between the two entities. These disturbing findings highlight the involvement of state-backed actors in this cyber campaign, making it all the more alarming and potentially far-reaching.
Conclusion
With the emergence of the ‘SafeChat’ Android spyware, users must exercise extreme caution while downloading apps, especially those related to communication and security. Staying vigilant against suspicious messages and unverified app sources is crucial in protecting personal data and devices from potential cyber threats.
As hackers become increasingly sophisticated, it is imperative to stay informed about the latest security developments and ensure that devices are equipped with reliable antivirus software to mitigate risks. Remember, being proactive and cautious is the best defense against cyber adversaries lurking in the digital landscape.
