Security experts are sounding the alarm on a fresh case of Android malware hidden within a dubious application, primarily spreading throughout South Asian regions.
As per the cybersecurity firm Cyfirma, a so-called “mock chatting app” known as Safe Chat on the devices it infiltrates appears to require an unusually high level of permissions, especially compared to other similar malware instances it has been contrasted with.
Following a detailed examination of the malware, Cyfirma has expressed concerns that this latest onslaught could be another operation conducted by the Indian APT hacking group known as Bahamut. Once the Safe Chat app is disseminated via WhatsApp and installed, it triggers a sequence of pop-up prompts, one of which asks the user to permit background activity and disregard battery optimizations, consequently providing the hacker with ongoing access to the compromised device.
A subsequent prompt requests access to the device’s accessibility functions and, by extension, data such as keystrokes. The intruder could gain additional details, including the victim’s location, contact list, file storage, SMS messages, and call records.
This malicious software is believed to be a variant of the previously identified Coverlm, which targeted information from applications such as WhatsApp, Signal, and Telegram. The research team also identified parallels in the strategies implemented in this campaign and another led by APT DoNot, both of which prioritized the same geographic region and shared a focus on espionage.
In light of its findings, Cyfirma states that the analysis “strongly suggests that the APT group orchestrating the attack has connections to Indian territory and operates in favor of a specific nation-state government.”
When TechRadar Pro sought further details about the previous DoNot attack from Google, a company representative confirmed that the harmful apps were taken down from the Play Store. They also mentioned that “Google Play Protect safeguards users from apps identified to carry this malware on Android devices equipped with Google Play Services, even when those apps are sourced elsewhere.”
Currently, the company still needs to respond to our query specifically related to this instance.