Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Cyber-Mercenaries Target Android Users with Fake VPN Apps

Malicious Apps can Exfiltrate Information from Signal, Viber and Telegram
Cyber-Mercenaries Target Android Users with Fake VPN Apps
Trojanized versions of two legitimate apps used by attackers

A hacking-for-hire group is distributing malicious apps through a fake SecureVPN website that enables Android apps to be downloaded from Google Play, say researchers at Eset.

See Also: Check Kiting In The Digital Age

Dubbed "Bahamut," researchers from the cybersecurity firm discovered at least eight versions of the spyware. The apps were being used as part of a malicious campaign that used Trojanized versions of two legitimate apps - SoftVPN and OpenVPN. In both cases, the apps were repackaged with Bahamut spyware.

"The main purpose of the app modifications is to extract sensitive user data and actively spy on victims' messaging apps," the researchers say.

Exfiltration of sensitive data is conducted via keylogging, misusing Android's accessibility service. It can also actively spy on chat messages exchanged through popular messaging apps including Signal, Viber, WhatsApp, Telegram, and Facebook Messenger.

The threat group also acts as a mercenary group, offering hacking-for-hire services that include espionage and disinformation services to target nonprofit organizations and diplomats across the Middle East and southern Asia.

Its initial attack vectors includes spearphishing messages and fake applications, whose goal is to steal sensitive information from its victims.

The malicious application is delivered via the website thesecurevpn[.]com, a spoof of the real securevpn site but which lacks the content or styling of the legitimate SecureVPN service (at the domain

The thesecurevpn[.]com was registered on 2022-01-27, but date for the initial distribution of the fake SecureVPN app is unknown.

Since Bahamut spyware distribution through websites began, eight versions of the spyware have been made available for download.

List of different versions:

  • SecureVPN_104.apk;
  • SecureVPN_105.apk;
  • SecureVPN_106.apk;
  • SecureVPN_107.apk;
  • SecureVPN_108.apk;
  • SecureVPN_109.apk;
  • SecureVPN_1010.apk;
  • SecureVPN_1010b.apk.

In October 2020, BlackBerry researchers identified the Bahamut group creating several fake news websites to push disinformation content. They also discovered a phishing infrastructure and malicious apps being installed in the official Google Play and Apple App stores and used to target specific victims and organizations.

Because the group's targets lack a unifying pattern, the Blackberry researchers suggest that the hackers likely sell their services to the highest bidder.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.