‘SafeChat’ is a malicious Android app used for cyber espionage in South Asia
An Android chatting app called ‘SafeChat’ is being used to conduct cyber espionage and steal sensitive data from targeted individuals in South Asia, particularly India. Users’ privacy and security are at risk as the malicious payload is delivered directly through WhatsApp chats.
APT Hacker (Bahamut) and its Sophisticated Android Malware
Cyber security firm CYFIRMA has identified Android malware operated by the Indian APT hacking group “Bahamut”. It seems likely that the group may be serving the interests of a nation-state government based on the nature of the attack and its previous activities. In South Asia, APT has targeted Khalistan supporters, military establishments in Pakistan, and individuals in Kashmir.
There are suspicions that this Android spyware is a variant of the notorious malware “Coverlm,” which steals data from popular communication apps such as Telegram, Signal, WhatsApp, Viber, and Facebook Messenger. The new variant has even more permissions, significantly raising the level of threat it poses to users.
Upon installation, the malware disguises itself as an innocent app called “Safe Chat” in the main menu. This application misleads users into believing they are using a secure chatting app. Behind the façade lies a cunning strategy used by hackers to collect sensitive information.
The APT Bahamut group’s past and present targets indicate that it operates within Indian territory. This is a national security concern because the group’s targeted targets align with government interests.
Here’s how spyware steals data from smartphone users
- Hackers initially convince the victim to install SafeChat, which appears to be a legitimate chat app.
- When the app is installed, it will ask for permission to use Accessibility Services, which will allow it to access the victim’s contact list, SMS, call logs, external device storage, and location information.
- After this, Safe Chat will request the user’s approval to exclude the battery optimization subsystem from Android. In this way, the app is allowed to run in the background even when the user is not actively using it.
- The app then interacts with other chat applications already installed on the device. In this way, the app can take data from those apps, like chat messages and media files.
- Once stolen, the data is encrypted and sent to the attacker’s C2 server. Certificates and encryption ensure anonymity and avoid detection.
How to Protect Yourself From Cyber Threats
To protect their data and privacy, individuals and organizations must take precautionary measures against the sophisticated Android malware used by APT Bahamut. Cybersecurity can be enhanced by following these steps:
- Stay Informed: Be aware of potential threats by staying updated with cybersecurity news and advisories.
- Use Trusted Sources: Make sure to download apps only from official app stores and reputable websites.
- Install Antivirus Software: Use antivirus software that is reliable and capable of detecting and removing malicious programs.
- Keep Software Updates: To patch vulnerabilities, update your operating system, applications, and security software on a regular basis.
- Avoid Clicking Suspicious Links: Avoid clicking on links or downloading attachments from unknown sources.
- Enable Two-Factor Authentication (2FA): When possible, use 2FA to add an additional layer of protection to your accounts.
- Educate Employees: Organizations should educate their staff on cybersecurity best practices and the possible vulnerabilities posed by cyber-attacks.
- Regular Data Backups: Back up important data on a regular basis to avoid data loss in the case of a cyber incident.
