WhatsApp is one of the most use instant messaging platforms around the globe. In India also has millions of users, making it a prime target in the cyber world. From scams to cyber attacks, WhatsApp users have often target by hackers attempting to steal their information.
Again, the platform is on the radar as hackers have found using a fake Android app call as ‘SafeChat‘ to infect devices with spyware malware.
This malicious software not only steals WhatsApp users’ data but also extracts other sensitive information from their phones, including call logs, texts, and GPS locations.
The spyware is suspect to be a variant of “Coverlm” which targets communication apps like Telegram, Signal, WhatsApp, Viber, and Facebook Messenger.
According to researchers at CYFIRMA, an Indian APT hacking group call as ‘Bahamut‘ is responsible for this malware campaign.
Their latest attacks are mainly conduct through spear-phishing messages on WhatsApp, which distribute the malicious payloads directly to the victims.
Bahamut is further said to target users around India and in South Asia.
CYFIRMA’s analysts have found that Bahamut’s methods are similar to those use by another Indian state-sponsor threat group, ‘DoNot APT‘ (APT-C-35).
DoNot APT has previously infect Google Play with fake chat apps that act as spyware.
While CYFIRMA has not specifically reveal the social engineering aspect of the cyber attack, it clears out that the victims are convince to install a chat app by believing it will lead to a safer communication platform.
As per CYFIRMA report :
"The user interface of this app successfully deceives users into believing its authenticity, allowing the threat actor to extract all the necessary information, before the victim realises that the app is a dummy, the malware cleverly exploits unsuspecting Android Libraries to extract and transmit data to a command-and-control server,".
How Spyware is Stealing Information from users Smartphones?
- At first, the hackers persuade the victim to install the SafeChat app, which appears to be a legitimate chat app.
- When the app is install, it requests permissions to use Accessibility Services. These permissions allow the app to automatically grant itself more permissions, such as access to the victim’s contacts list, SMS, call logs, external device storage, and GPS location data.
- Then the SafeChat app also requests the user to approve exclusion from Android’s battery optimization subsystem. With this the app gets permission to continue to run in the background even when the user is not actively using it.
- The app then interacts with other chat apps that are already install on the device. This allows the app to steal data from those apps, such as chat messages and media files.
- Stolen data is then encrypted and sent to the attacker’s C2 server. Encryption and certificates ensure anonymity and evade detection.
CYFIRMA further concludes seeing the nature of this attack with previous incidents involving APT Bahamut, the APT group operates within Indian territory.
How to Stay Safe from Spyware?
As cyber attacks are not new, it is always advisable to be wary of such incidents and take precautions to stay safe.
Here are some tips to protect yourself from SafeChat and other malware and to keep your Android device safe.
Install Apps from Trusted Sources
Only download and install apps from official app stores like Google Play Store.
Avoid sideloading apps from unknown sources, as they may contain malware.
Check App Permissions
Be cautious of apps that request unnecessary permissions.
If an app asks for access to sensitive data or features that seem unrelated to its functionality, reconsider installing it.
Keep Your Device Updated
Regularly update your Android device with the latest software and security patches.
Manufacturers release updates to fix vulnerabilities and strengthen the device’s security.
Use Security Apps
Install a reputable antivirus or security app from a trusted provider to regularly scan your device for malware and potential threats.
