SafeChat Mobile Malware

Hackers have been discovered employing a deceptive Android application called 'SafeChat' to infect devices with spyware malware. This malicious software aims to pilfer sensitive information from phones, including call logs, text messages and GPS locations.

The Android spyware is suspected to be a variant of the infamous 'Coverlm' malware, known for its data-stealing capabilities from various communication apps. The targeted applications include popular platforms like Telegram, Signal, WhatsApp, Viber and Facebook Messenger.

The Indian APT hacking group known as 'Bahamut' is believed to be behind this campaign. They have been identified as the perpetrators responsible for the recent attacks, primarily using spear phishing messages distributed via WhatsApp. These messages carry threatening payloads, which are directly delivered to the victims' devices. The primary targets of this Bahamut campaign are users located in South Asia.

The SafeChat Malware Masquerades as a Legitimate Messaging Application

A common tactic used by attackers is to try and persuade victims into installing a chat application, claiming that it will provide them with a more secure communication platform. According to infosec experts, the spyware disguised as Safe Chat employs a deceptive user interface that mimics a genuine chat app. Furthermore, it guides the victim through what seems to be a legitimate user registration process, adding credibility and acting as a perfect cover for the spyware's malicious activities.

A crucial step in the infection process involves obtaining important permissions, such as the ability to use Accessibility Services. These permissions are then misused to grant the spyware further access to sensitive data automatically. More specifically, the spyware gains access to the victim's contact list, SMS messages, call logs, external device storage and can retrieve precise GPS location data from the compromised device.

Additionally, snippets from the Android Manifest file reveal that the threat actor behind the spyware designed it to interact with other already installed chat applications. The interaction occurs through the use of intents, and the OPEN_DOCUMENT_TREE permission allows the spyware to select specific directories and access the apps mentioned in the intent.

To exfiltrate the data collected from the infected device, the spyware employs a dedicated data exfiltration module. The information is then transferred to the attacker's Command-and-Control (C2) server through port 2053. To ensure the confidentiality of the exfiltrated information during transmission, the spyware utilizes encryption facilitated by another module that supports RSA, ECB, and OAEPPadding. Furthermore, the attackers employ a "lets encrypt" certificate to evade any interception attempts of network data made against them.

Connections to Other Cybercrime Groups

In the SafeChat attack campaign, several Tactics, Techniques, and Procedures (TTPs) have been identified, which bear a striking resemblance to another Indian state-sponsored threat group known as 'DoNot APT' (APT-C-35). Notably, 'DoNot APT' has previously been involved in infiltrating Google Play with fake chat apps that function as spyware. The similarities between the two hacker groups include the use of the same certificate authority, similar data-stealing methodologies, a shared targeting scope, and the utilization of Android apps to infect their intended targets.

These observed parallels strongly suggest a potential overlap or close collaboration between the two threat groups. Additionally, the similarity in data-stealing techniques and the shared targeting focus may indicate a common goal or purpose in their attacks.

The fact that both groups have employed Android apps as a means of infiltration further strengthens the notion of possible collaboration or knowledge sharing. It is crucial to take these indications of collaboration seriously as they signify a potential increase in the sophistication and complexity of the attacks launched by these state-sponsored groups.