By Divya Bhati: WhatsApp is one of the most widely used instant messaging platforms around the globe. In India too, the Meta-owned platform has millions of users, making it a prime target in the cyber world. From scams to cyber attacks, WhatsApp users have often been targeted by hackers attempting to steal their information.
Once again, the platform is on the radar as hackers have been found using a fake Android app called ‘SafeChat’ to infect devices with spyware malware. This malicious software not only steals WhatsApp users’ data but also extracts other sensitive information from their phones, including call logs, texts, and GPS locations.
The spyware is suspected to be a variant of “Coverlm,” which targets communication apps like Telegram, Signal, WhatsApp, Viber, and Facebook Messenger. According to researchers at CYFIRMA, an Indian APT hacking group called ‘Bahamut’ is responsible for this malware campaign. Their latest attacks are mainly conducted through spear-phishing messages on WhatsApp, which distribute the malicious payloads directly to the victims. Bahamut is further said to target users around India and in South Asia.
CYFIRMA’s analysts have found that Bahamut’s methods are similar to those used by another Indian state-sponsored threat group, ‘DoNot APT’ (APT-C-35). DoNot APT has previously infected Google Play with fake chat apps that act as spyware.
Safechat is stealing data
While CYFIRMA has not specifically revealed the social engineering aspect of the cyber attack, it clears out that the victims are convinced to install a chat app by believing it will lead to a safer communication platform. ” The user interface of this app successfully deceives users into believing its authenticity, allowing the threat actor to extract all the necessary information, before the victim realises that the app is a dummy, the malware cleverly exploits unsuspecting Android Libraries to extract and transmit data to a command-and-control server,”the report reveals.
Here is a step-by-step overview of how spyware is stealing information from users’ smartphones.
- At first, the hackers persuade the victim to install the SafeChat app, which appears to be a legitimate chat app.
- Once the app is installed, it requests permissions to use Accessibility Services. These permissions allow the app to automatically grant itself more permissions, such as access to the victim’s contacts list, SMS, call logs, external device storage, and GPS location data.
- Then the Sharechat app also requests the user to approve exclusion from Android’s battery optimization subsystem. With this the app gets permission to continue to run in the background even when the user is not actively using it.
- The app then interacts with other chat apps that are already installed on the device. This allows the app to steal data from those apps, such as chat messages and media files.
- Stolen data is then encrypted and sent to the attacker’s C2 server. Encryption and certificates ensure anonymity and evade detection.
CYFIRMA further concludes seeing the nature of this attack, along with previous incidents involving APT Bahamut, the APT group operates within Indian territory.
How to stay safe
While cyber attacks are not new, it is always advisable to be wary of such incidents and take precautions to stay safe. Here are some tips to protect yourself from SafeChat and other malware and to keep your Android device safe.
- Install Apps from Trusted Sources: Only download and install apps from official app stores like Google Play Store. Avoid sideloading apps from unknown sources, as they may contain malware.
- Check App Permissions: Be cautious of apps that request unnecessary permissions. If an app asks for access to sensitive data or features that seem unrelated to its functionality, reconsider installing it.
- Keep Your Device Updated: Regularly update your Android device with the latest software and security patches. Manufacturers release updates to fix vulnerabilities and strengthen the device’s security.
- Use Security Apps: Install a reputable antivirus or security app from a trusted provider to regularly scan your device for malware and potential threats.