A fake Android chat app called “SafeChat” is being used to steal user data from popular messaging platforms like Signal and WhatsApp. This advanced Android malware, disguised as a secure messaging app, has been targeting users in the South Asian region. The group behind these attacks is suspected to be the Indian APT group known as Bahamut
This malware is believed to be a variant of the notorious CoverIm malware, known for its ability to steal data from various communication apps. The Bahamut APT group, believed to be behind these attacks, has a history of distributing malware through fake apps. In fact, in 2022, they were found to be using fake VPN apps with extensive spyware functions.
Deceptive Tactics Used by Hackers
The hackers behind the SafeChat malware distribute links to install the app through phishing messages on WhatsApp, convincing victims that they are transitioning to a more secure platform. The app has a deceiving interface, designed to mimic legitimate chat apps, making it appear trustworthy to unsuspecting users. It even takes victims through a seemingly legitimate user registration process, further adding to its credibility as a chat app.
Once installed, the app requests various permissions, including access to Accessibility Services, contacts, SMS, call logs, storage, and GPS location data.,
The permissions granted to the SafeChat app are the keys that unlock the full potential of the malware. With access to Accessibility Services, the hackers gain control over the victim’s device, allowing them to extract sensitive information.
The stolen data includes call logs, text messages, and GPS location data from popular messaging services like WhatsApp, Telegram, Signal, Viber, and Facebook Messenger. Additionally, the app requests exclusion from Android’s battery optimization subsystem, ensuring that it operates in the background even when the user is not actively engaging with it. This persistence enables the malware to continue its malicious activities undetected.
State-Sponsored Threat Actor?
CYFIRMA researchers have linked the Bahamut APT group to a specific state government in India. The group shares similarities with another notorious APT group called ‘DoNot APT’ (APT-C-35), which has previously infested Google Play with fake chat apps acting as spyware, including the use of the same certificate authority.
Both groups employ similar data theft methodologies and have a common targeting scope. This suggests a close collaboration or overlap between the two groups. The state-sponsored nature of these attacks adds another layer of concern, highlighting the need for heightened security measures.
Safeguarding Yourself Against SafeChat Malware
As users, it is essential to take proactive measures to protect ourselves from the SafeChat malware and similar threats. Here are some practical tips to enhance your security:
- Install Apps from Trusted Sources: Stick to official sources like the Google Play Store when downloading apps. These platforms have rigorous screening processes that minimize the risk of downloading malware-infected apps.
- Scrutinize App Permissions: Pay close attention to the permissions requested by any app before installing it. Be cautious if an app asks for unnecessary access to sensitive data or features.
- Keep Your Device Updated: Regularly update your Android operating system and apps to ensure you have the latest security patches and bug fixes. These updates often address vulnerabilities that hackers exploit.
- Use Security Apps: Install a reliable antivirus or security app from a trusted source. These apps can scan your device for malware and provide real-time protection against threats.
Reporting and Taking Action
If you suspect that your device has been infected with the SafeChat malware, take immediate action:
- Uninstall the App: Remove the suspicious SafeChat app from your device.
- Change Passwords: Change passwords for any accounts you accessed through the app to prevent unauthorized access.
- Scan for Malware: Use a reputable security app to scan your device for any remaining malware.
- Report the Incident: Notify cybersecurity firms like CYFIRMA or your mobile service provider about the incident. Reporting the attack helps track down the source and protect others from falling victim to the malware.
You can find the full article by CYFIRMA here