ESET has revealed that there are several fake VPNs on the Internet that steal data from smartphones, such as banking information. These are distributed by computer hackers from the Bahamut group and affect Android users from a website that they have created expressly to attract new victims. Although they are not focused on all Android users, this could change, so it is worth taking extreme precautions.
Its modus operandi is to spoof SecureVPN, SoftVPN, and OpenVPN mobile clients under apps that have Bahamut spyware. When one of these apps is installed on its victims’ smartphones, the malware gains access to their calls, SMS, geolocation, and other relevant information, including bank details.
They disguise themselves under fake VPN services and spy on you
SET was able to identify at least 8 versions of these malware-infected apps with code changes and updates available on the web they use for their distribution. If Bahamut spyware is enabled, Bahamut operators can remotely control it and leak various sensitive data from the device as we have said above.
Fake VPN apps are not on the Google Play app store. In order to increase their reach, hackers have created a fake SecureVPN website to distribute their malicious apps to attract new victims.
Of course, neither the web nor the apps have anything to do with the original and trusted SecureVPN service. If you look, the original website is securevpn.com when the fake one uses the name ‘thesecurevpn’ to incite deception. They could create new websites later or there are more out there that have not been discovered.
ESET considers that it is a tailor-made solution for certain victims and not for all indiscriminately. Victims of the attack must receive an activation key. The software is not going to run on random users’ devices, but is initially targeting specific people. What they are looking for is to get confidential user data and spy on messaging apps such as Telegram, WhatsApp, Signal, Viber and Facebook Messenger.
As stated by ESET researcher Lukas Stefanko, the data exfiltration is done through the malware’s keylogging functionality , which misuses accessibility services. All the extracted data is stored in a local database and later sent to the command and control (C&C) server. In addition, the app can be updated by receiving a link to a new version from the C&C server.
Do not install apps from untrusted sites
Although in this case, the way to get infected is by accessing this website and downloading one of the infected apps, it is worth taking extreme precautions when using your mobile. It is important not to download apps from untrustworthy sources since your mobile can be infected by a Trojan, virus or miner with the consequences that this has, even if sometimes you do not even know that your data or your mobile are in danger.
If you are going to install a VPN service to ‘change your region’, maintain your privacy or any other use that is usually given to this type of service, check that the domain is the official domain of the service and do not install it from any other site. If you don’t have total security, don’t install anything. Also, it is good that you have an antivirus on your mobile and check that you are not installing anything that could harm you. If so, immediately uninstall the malicious app to prevent it from further affecting you.
