Cybermercenary Group Targets People in the Middle East and East Asia with Fake VPN

A concerning new report from security company ESET reveals government-sponsored spyware has been posing as VPN apps to target people in the Middle East and South Asia. These fake VPN apps have reportedly been up and running since January 2022 and researchers believe the Bahamut advanced persistent threat (APT) group is running them. 

Bahamut is an infamous hackers-for-hire organization. At this point, it’s unclear who is sponsoring the spyware. The spyware apps are spread via a fake SecureVPN website for Android devices. SecureVPN is a legitimate multi-platform service, but this fake website only provides apps for Android.

It’s unknown how many people this has affected so far since, unlike popular app stores, the fake SecureVPN website doesn’t show download numbers. Research shows the spyware is complex, though, and may be targeting specific people.

Sophisticated Spyware Targeting Specific Victims

According to ESET’s researchers, this is an active and well-managed campaign, with multiple VPN app versions and updates throughout the year. Bahamut created trojanized versions of two existing VPN apps, SoftVPN and OpenVPN, using spyware code similar to what the group has used in the past. Apparently, there have been at least eight versions of these maliciously patched apps distributed on the website.

A fake SecureVPN website with a download warning
The threat actors used a free website template to create the distribution website.

So far the spyware versions of these apps have only been distributed via the fake SecureVPN website, as far as the researchers could tell. This isn’t a random spray-and-pray cybercrime either, but looks like a targeted campaign. Once downloaded, the fake VPN apps require an activation key to work. 

A fake VPN app asking for an activation key
The malware Android apps are unusable without the correct activation code, presumably sent with a download link to specific targets.

ESET assumes the spyware group sends the website link and an activation key to specific victims. Although it’s unclear who the specific targets are or how the group communicates with them, it’s assumed they reside in the Middle East and South Asia. These are the regions Bahamut has typically targeted in the past. 

Without the activation key, the app won’t work and the malware won’t launch. That may sound counterintuitive, but this makes it very hard for researchers to analyze the malware. It also fits the group’s modus operandi. 

This is alarming because people often download VPNs to become anonymous and protect themselves against censorship and persecution, and this circumvents that purpose of using a VPN.

Bahamut Has a History of Targeted Spear Phishing Campaigns

Bahamut, a name coined by the Bellingcat investigative journalism group, is a well-known mercenary group offering hack-for-hire services that specializes in espionage. Security companies have been following and highlighting its exploits for years. The group has a few tells that mark its work. 

This includes collecting data in a local database before sending it to a command-and-control (C&C) server. According to ESET, this is a tactic rarely seen in mobile cyberespionage apps. Like the group’s previous operations, these fake VPN apps are designed to extract extremely sensitive information about its victims. 

In addition to spying on victims’ chat messages (including on encrypted messenger apps), the spyware also collects people’s:

    • ☎️ Call logs
    • 📞 Phone calls (records them)
    • 📩 SMS messages
    • 📓 Contacts
    • 🌎 Device location

The reason the spyware is able to collect people’s communications on encrypted messaging software like WhatsApp, Telegram, and Signal is because it uses a keylogging functionality that misuses Android’s accessibility services. This circumvents the protection provided by the encryption these apps use since the attackers have direct access to what people are typing.

While it’s not clear who the company is currently targeting with these fake VPN apps, researchers are speculating they may be located in the Middle East and East Asia since this is where Bahamut typically operates. In the past, the threat actor has targeted a range of economic, political, and non-governmental targets, including both individuals and organizations.

Even if you’re not part of the list of victims Bahamut is targeting with this instance of malware, it’s still a good lesson in avoiding risky online behavior. First and foremost, you should know the warning signs of both email and SMS phishing techniques. 

Bahamut uses sophisticated methods, so its techniques may not always fit the general phishing profile. That makes the group’s attacks harder to detect, but applying some common sense can still help in this matter. For example:

    • 💡 Legitimate VPN services will never reach out to you directly to promote their services or get you to download their app.
    • 💡 Real VPN services will list their apps for download on valid app stores like the Apple App Store and Google Play Store in addition to their own websites.
    • 💡 Authentic VPN services will generally support more than one platform and operating system.
    • 💡 Free VPNs are unsafe under normal circumstances as they typically sell your data for money, so avoid them at all costs. Their safety measures also don’t live up to standard.

To protect yourself against malicious software, follow basic digital safety protocols:

    • ✅ Never click on links sent from unknown sources, even if the email or message seems legitimate.
    • ✅ Only download apps from reputable sources that you searched for yourself and avoid using download links sent by others.
    • ✅ Review and change app permissions that seem unwarranted — only allow permissions an app would reasonably need to function.
    • ✅ Don’t download apps you don’t need and delete any that you haven’t used in a while.
    • ✅ Be extra careful if you’re an Android user as the platform is heavily targeted and vulnerable. Apple users have additional security measures like Lockdown Mode, but they aren’t safe either.

VPNs have become synonymous with digital safety. While premium VPNs like CyberGhost have taken every measure to protect your safety and anonymity, not all VPNs are created the same, or in this case, aren’t even VPNs at all. Keeping your devices safe requires a bit of work. Whenever you want to install a VPN, do some research first to make sure it’s safe to use.

A reputable VPN has a strong No Logs policy, a track record for protecting people’s data with zero leaks or data handovers to authorities, and a comprehensive Transparency Report. This is a good lesson for why it’s safer to stick with trustworthy VPNs and avoid free or suspicious-looking ones.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*