CYFIRMA researchers note an Indian APT group called Bahamut is infecting targets with a fake Android chat app – to steal sensitive data from the device.

The fake Android app comes on the pretext of a secure messenger called Safe Chat, which asks for extensive permissions when installed. And by using a secured pipeline, the malware app transports the stolen data to the hacker’s C2. Researchers linked the threat actor to another Indian APT that has similar TTPs.

A Malware-Laced Messenger

Researchers at CYFIRMA detailed a new campaign by the Bahamut team that was bundling a malware variant of “Coverlm” to steal sensitive data from targets in South Asia. The spyware malware sucks call logs, texts, and GPS locations from the target phones and exports them to the hacker’s C2 securely.

The threat actor starts by initiating a conversation with the target on WhatsApp (although it’s unknown how they social engineer the contact) and asks them to install a secure chat app called “Safe Chat” – fake and contains malware.

And when the target unsuspiciously installs the said app, they’ll be taken to a registration page to be credible but loads the spyware malware in the background. Once done, the app asks for an extensive set of Accessibility permissions to gain indirect access to the target’s contacts list, SMS, call logs, external device storage, and precise GPS location.

All the data stolen from these points are transferred to the hacker’s C2 via a dedicated data exfiltration module through port 2053. Further, to evade detection, the stolen data is encrypted using another module that supports RSA, ECB, and OAEPPadding. At the same time, the data exfiltration portal is secured through Let’s Encrypt certificates to avoid interception.

Researchers link the Bahamut group to an unnamed state government in India. They have Indian origins because their TTPs align with those of another Indian state-sponsored threat group called the ‘DoNot APT’ (APT-C-35).