In an era where security is of utmost importance, intruders are exploiting a deceptive Android application, named ‘SafeChat,’ to inject devices with spyware malware capable of confiscating call logs, text messages, and GPS locations from mobile phones.

The android spyware is conjectured to be a variant of “Coverlm,” notorious for extracting data from communication applications such as Telegram, Signal, WhatsApp, Viber, and Facebook Messenger.

According to CYFIRMA researchers, the malevolent force behind this campaign is the Indian Advanced Persistent Threat (APT) group ‘Bahamut’. Their recent assaults are primarily executed through spear-phishing messages on WhatsApp, directing the malicious payloads straight to the victim’s device.

In addition, the analysts at CYFIRMA have drawn attention to numerous TTP resemblances with another state-sponsored threat group from India, named the ‘DoNot APT’ (APT-C-35), which has a history of contaminating Google Play with pseudo chat applications operating as spyware.

ESET, towards the end of last year, reported that Bahamut group employed fraudulent VPN apps for Android with in-depth spyware features. In the most recent campaign noticed by CYFIRMA, Bahamut is targeting individuals in South Asia.

Details about “Safe Chat”

Although CYFIRMA doesn’t explicitly discuss the social engineering aspect of the attack, victims are often convinced to install a chat app, the alleged reason being to transition the conversation to a more secure platform.

The analysts note that Safe Chat has an alluring interface that makes it resemble a genuine chat application. It guides the victim through an ostensibly legitimate user registration process, thereby adding credibility and acting as an excellent disguise for the spyware.

A significant stage in the infection process is the granting of permissions for using the Accessibility Services, which are then exploited to automatically bestow the spyware with more permissions.

These augmented permissions facilitate the spyware to acquire access to the victim’s contacts list, text messages, call logs, external device storage, and extract accurate GPS location data from the affected device.

The application further prompts the user to accept exclusion from Android’s battery optimization subsystem, which halts background processes when the user isn’t actively interacting with the app.

“Another extract from the Android Manifest file reveals that the malefactor designed the application to communicate with other already installed chat applications,” CYFIRMA clarifies.

The communication is established using intents, and the OPEN_DOCUMENT_TREE permission is used to select specific directories and access applications mentioned in intent.

A specialized data extraction module moves information from the device to the attacker’s Command and Control (C2) server via port 2053.

The purloined data is then encrypted using a different module that supports RSA, ECB, and OAEPPadding. Concurrently, the intruders use a “letsencrypt” certificate to thwart any network data interception attempts aimed at them.

CYFIRMA concludes its report by stating that it possesses sufficient evidence to connect Bahamut to operations on behalf of a specific state government in India.

Furthermore, sharing the same certificate authority as the DoNot APT group, similar data theft techniques, shared targeting scope, and the use of Android applications to infect targets all suggest overlap or close cooperation between the two groups.