Posted on July 30, 2023 at 7:29 AM
Hackers Exploit Fake Android Chat App To Steal Signal And WhatsApp User Data
Hackers have been using a fake Android application known as “SafeChat” to conduct hacking attacks against Android devices. These devices are being targeted by spyware malware that steals call logs, texts, and GPS locations from user phones.
Hackers exploit fake Android chat app to steal user data
The Android spyware in question is believed to be a variant of another malware known as “Coverlm.” The latter is malware that steals data located within communication platforms such as Facebook Messenger, Signal, Telegram, WhatsApp, and Viber.
The hacking campaign being conducted using the SafeChat fake Android app was exposed by researchers from CYFIRMAx. According to these researchers, the hack was conducted by an Indian APT hacking group known as Bahamut.
The latest hacking campaigns conducted by this hacker group are largely being done through spear phishing messages that are sent to users on WhatsApp. These fake messages contain malicious payloads that are sent directly to the victim to trigger the attack.
The analysts at CYFIRMA have also mentioned several similarities between the actions taken by this hacker group and an Indian state-sponsored threat actor group known as “DoNot APT” or APT-C-35. The hacker group has previously launched campaigns on the Google Play Store by listing malicious chat apps on the marketplace. These chat apps are used as spyware to monitor the activity conducted on a device.
Towards the end of last year, a report by ESET researchers said that the Bahamut threat actor group has been using fake VPN applications from the Android platform. Some of these apps came with a wide range of spyware capabilities by allowing the threat actor to obtain access to the targeted device.
During the recent hacking campaign that was detected by the CYFIRMA researchers, the Bahamut threat actor group targeted individuals located in South Asia. The attack strategy shows that the hacker group might have a vested interest in the South Asia region.
Phishing campaign with fake chat app
The researchers at CYFIRMA have not shared specific details about the social engineering nature of this hacking campaign. However, it is usually common for victims involved in such attacks to be tricked into installing a fake chat app that later causes them harm or allows a hacker to access information that they should not necessarily have access to.
In most cases, the victims behind such campaigns are lured towards installing these fake apps after the threat actors inform them that they will be transitioning the conversation to a more secure platform. However, this never happens because once a user follows the link, their information will be infiltrated.
The researchers also said that the Safe Chat app comes with an interface that appears authentic and has the same features as a real chat application. The app will lead the victim through a user registration process that appears factual but is actually not. The use of this authentic interface boosts the credibility of the app and makes it an ideal choice for spyware.
One of the main steps in the infection process revolves around securing the permissions needed to use the Accessibility Services of the app. These services are often abused o give the spyware additional permissions on the targeted device.
The additional permissions allow the spyware to have access to the contact list, SMS, call logs, and external device storage on a user device. The spyware can also access the precise GPS location data of the victim.
Safe Char also urges a user to approve exclusion from the battery optimization subsystem on the Android device. This subsystem will halt the background processes whenever a user is not actively interacting with the app.
“Another snippet from the Android Manifest file shows that the threat actor designed the app to interact with other already installed chat applications,” CYFIRMA researchers said. “The interaction will take place using intents, OPEN_DOCUMENT_TREE permission will select specific directories and access apps mentioned in intent.”
The hackers also rely on a dedicated data exfiltration system that will transfer data from the targeted device to the C2 server of the attacker using port 2053. The stolen data will also be encrypted using a module supporting ECB, RSA, and OAEPPadding. The “letsencrypt” certificate will also be used to avoid the interception of network data.
The hacking campaign employs a similar certificate authority as the DoNot APT hacker group, including the same data-stealing methods, a similar targeting scope, and using Android apps to infect the targeted devices.