What's new
  • Donate
    TheWindowsForum.com needs donations to stay online!
    Love TheWindowsForum.com? Then help keep it alive by sending a donation!

Hackers modify popular OpenVPN Android app to include spyware

WELCOME TO THEWINDOWSFORUM COMMUNITY!

Our community has more than 50.000 registered members, and we'd love to have you as a member. Join us and take part in our unbiased discussions among people of all different backgrounds about Windows OS, Software, Hardware and more.

AFFASocial

Well-Known Member
VIP
Jun 26, 2021
225
151
OS
Windows 10
BR
Yandex.Browser 22.11.0.2423

Hackers modify popular OpenVPN Android app to include spyware​

  • November 24, 2022
  • 10:29 AM
  • 0

Hackers repackage SoftVPN and OpenVPN into malicious Android versions

A threat actor associated with cyberespionage operations since at least 2017 has been luring victims with fake VPN software for Android that is a trojanized version of legitimate software SoftVPN and OpenVPN.
Researchers say that the campaign was "highly targeted" and aimed at stealing contact and call data, device location, as well as messages from multiple apps.

VPN service impersonation​

The operation has been attributed to an advanced threat actor tracked as Bahamut, which is believed to be a mercenary group providing hack-for-hire services.
ESET malware analyst Lukas Stefanko says that Bahamut repackaged the SoftVPN and OpenVPN apps for Android to include malicious code with spying functions.
By doing this, the actor ensured that the app would still provide VPN functionality to the victim while exfiltrating sensitive information from the mobile device.
To hide their operation and for credibility purposes, Bahamut used the name SecureVPN (which is a legitimate VPN service) and created a fake website [thesecurevpn] to distribute their malicious app.
Bahamut's fake SecureVPN website
Bahamut's fake SecureVPN website
source: ESET
Stefanko says that the hackers' fraudulent VPN app can steal contacts, call logs, location details, SMS, spy on chats in messaging apps like Signal, Viber, WhatsApp, Telegram, and Facebook's Messenger, as well as collect a list of files available in external storage.
ESET's researcher discovered eight versions of Bahamut's spying VPN app, all with chronological version numbers, suggesting active development.
All fake apps included code observed only in operations attributed to Bahamut in the past, such as the SecureChat campaign documented by cybersecurity companies Cyble and CoreSec360 [1, 2].
SQL queries comparison in malicious code Bahamut used in its SecureVPN and SecureChat campaigns
SQL queries Bahamut used in its malicious SecureChat and SecureVPN apps
source: ESET
It is worth noting that none of the trojanized VPN versions were available through Google Play, the official repository for Android resources, another indication of the targeted nature of the operation.
The method for the initial distribution vector is unknown but it could be anything from phishing over email, social media, or other communication channels.
Details about Bahamut operations emerged in the public space in 2017 when journalists at the investigative group Bellingcat published an article about the espionage actor targeting Middle Eastern human rights activists.
Connecting Bahamut to other threat actors is a tall order considering that the group relies greatly on publicly available tools, constantly changes tactics, and its targets are not in a particular region.
However, BlackBerry researchers note in an extensive report on Bahamut in 2020 that the group " appears to be not only well-funded and well-resourced, but also well-versed in security research and the cognitive biases analysts often possess."
Some threat actor groups Bahamut has been associated with include Windshift and Urpage.
 

DVDR_Dog

Well-Known Member
Ultimate Donator
Donator
VIP
Nov 5, 2018
1,791
1,289
OS
Windows 10
BR
Chrome 107.0.0.0
You know something about open source and security software doesn't sit well with me. Although it has superior performance, OpenVPN source is out there to modify at will and find exploits.
 

Online statistics

Members online
0
Guests online
31
Total visitors
31
Top