Hackers Are Packing Malware Into VPN Apps For Android, Security Researchers Warn

hackers packing malware vpn apps android news
Researchers at the cybersecurity firm ESET have discovered an active Android malware campaign that began in January 2022. The campaign in question distributes spyware injected into legitimate VPN apps. The researchers have tied this campaign to an advanced persistent threat (APT) group known as “Bahamut.”

Bahamut has been active since at least 2017, when it was first identified. The APT group conducts cyberespionage primarily in the Middle East and South Asia, working to steal sensitive information at the behest of paying clients. Bahamut has developed its own spyware, which it has packaged with fake applications in the past. However, the group has more recently been re-packaging legitimate apps with its spyware added to the code.

downloading malicious vpn app from website news
Downloading malicious VPN app from website (click to enlarge) (source: ESET)

ESET researchers have found Bahamut injecting its malware into the SoftVPN and OpenVPN apps, which are both legitimate VPN apps. The versions of these apps available on the Google Play Store are the legitimate, non-malicious versions of the apps. However, Bahamut has been running a fraudulent VPN website, where it distributes its own versions of these apps with its custom spyware included. While this website is no longer accessible at the domain name identified by the researchers, it contained a download button that visitors could click to download a malicious APK file.

free vpn web template used by threat actors news
Free web template used by the threat actors on the fraudulent VPN website (click to enlarge) (source: ESET)

The ESET researchers discovered that the APT group made use of a free VPN web template on its fraudulent website. Bahamut customized this template by borrowing the SoftVPN logo and combining it with the name of another legitimate VPN service, SecureVPN. The malicious APK file available for download on the website also bore this same name. The ESET researchers identified at least eight versions of the two malicious VPN apps pushed by Bahamut in this campaign, meaning the threat group has been actively updating its spyware over the course of this year. The researchers suspect that Bahamut switched from injecting its spyware into SoftVPN to doing the same to OpenVPN because the developers of SoftVPN stopped maintaining the app, and it eventually lost its legitimate VPN functionality.

The Bahamut spyware injected into these VPN apps is bad news. The spyware asks for permission to use Accessibility services, which, if granted by the user, empower the spyware to fully control the infected device. The spyware can leverage this control to exfiltrate sensitive information, including contacts, SMS messages, call logs, device location, recorded phone calls, and messages within popular apps such as Signal, WhatsApp, and Telegram. Users with the SoftVPN, OpenVPN, and SecureVPN apps installed on their phones should check to make sure these apps were installed through the Google Play Store, where the legitimate versions of these apps reside, rather than from possibly malicious APK files downloaded on the Web.