A new spyware threat has been observed to be deployed in attack operations targeting Android users. The malware is being tracked as SandStrike and its main delivery method appears to be a corrupted VPN application that is being advertised as a simple, yet convenient way to avoid censorship in certain regions of the world. More specifically, the threat actors are targeting Persian-speaking Android users from the Baháʼí minority. Details about the threat and the attack campaign were released in a report published by cybersecurity researchers.

The cybercriminals created dedicated Facebook and Instagram accounts containing well-crafted religious graphic materials, to act as a lure. These social media accounts contain a link to a Telegram account also created by the hackers. Here, the unsuspecting victims would be presented with the VPN application carrying the SandStrike malware. To boost the effectiveness of the application and give it real functionality, the attackers set up their own VPN infrastructure. 

Once SandStrike is deployed on the victim's device, it will begin harvesting sensitive information before exfiltrating it to a server under the hacker's control. The collected information includes the user's call logs, contact lists and more. The threat also allows the attackers to monitor the activities carried out on the breached device.


Most Viewed