Apps and Software

Fake Android Chat App Found to Be Stealing User Data From Other Messengers

By
Posted on
Fake Android Chat App

Cybercriminals are doubling down on distributing malware via fake mobile apps. The fake ‘Safe Chat’ Android app aims to dupe people into installing spyware under the guise of improved security.

‘Safe Chat’ uses a slick user interface and convincing guided installation process to fool users into granting the app almost unlimited permissions. The app poses a significant threat because it’s designed to exfiltrate private chat messages from secure communication platforms like Signal and WhatsApp. It also steals call logs, texts, and GPS locations from phones.

Mobile phone users are largely unprotected against fake apps unless they use a mobile VPN and anti-malware software to block the download and installation of malicious apps.

A social engineering approach to malware delivery and installation

Security researchers have identified the source of malware as Bahamut, a threat actor based in India. Last year, they were in the news for distributing fake Android VPN apps that extracted conversations from chat apps such as Telegram, Viber, and Facebook Messenger.

Spear phishing on chat platforms is the primary delivery mechanism. They contact users directly on chat platforms, such as WhatsApp, with an invitation to transition the conversation to a more secure chat platform with improved functionality.

The Safe Chat app features a slick user registration process and user interface that reinforces the app’s appearance as a reliable and secure chat service. The user registration process adds credibility, but the attacker abuses it to give the spyware extraordinary user permissions.

Devious permissions requests

Once installed, the Safe Chat app onboards the user via an authentic-appearing user registration process. It then uses a devious request to access ‘Accessibility Services’ to get permission to capture keystrokes, which they abuse afterward to grant the spyware further permissions automatically.

Then follows a series of pop-up messages to request extra app permissions, including allowing background activity and excluding it from battery optimization. These permissions allow the attacker to maintain continuous access to the device and to keep the exfiltration process running even when the user isn’t actively engaging with the app.

The spyware ends up with access to contacts, messages, media files, SMS, call logs, and even external device storage and precise GPS location data.

Stealing personal data

The spyware contains a module designed to monitor and interact with other chat apps on the device. It uses ‘intents’ to name target applications and then uses its ‘OPEN_DOCUMENT_TREE’ permission to interact with specific directories. It allows it to monitor and extract data from named apps (e.g., WhatsApp or Signal).

The software encrypts the stolen data using RSA, ECB, and OAEPPadding (abusing a free “Lets Encrypt” certificate to counteract network data interception) and sends the data to the attacker’s Command and

Control (C2) server via port 2053. Interestingly, the attackers use the same certificate authority as the ‘DoNot’ group (APT-C-35), a known Indian state-sponsored threat group. Other common characteristics are their geographical focus, the use of fake Android apps to infect targets, and their emphasis on espionage.

Bahamut targets individuals in South Asia

This spyware seems to target users in South Asia, and Cyfirma researchers have concluded that Bahamut’s activities are state-sponsored. The conclusion is based on the substantial number of shared and overlapping characteristics shared with ‘DoNot,’ an Indian state-sponsored threat group responsible for ‘Coverlm.’

Coverlm has previously been found to steal data from secure communication apps, including Telegram, Signal, WhatsApp, Viber, and Facebook Messenger.

How to protect against fake app downloads

Phony apps pose a significant malware threat to unsuspecting users. Mobile apps are incredibly popular, and users are often unaware that apps can infect their devices with malware.

  • Use security tools – It’s becoming unthinkable to navigate the internet without the protection of a reliable anti-malware solution and a VPN to safeguard people’s privacy and prevent malicious apps’ accidental installation.
  • Don’t believe the app’s marketing rap. It’s not safe just because it says so on the label!
  • Examine the user ratings for false reviews.
  • Don’t be an early adapter. Wait a while after a new app appears to benefit from any lessons that early users learn.
  • Examine the app’s permissions before clicking ‘Accept.’
  • Set up two-factor authentication (2FA) on sensitive apps, especially shopping and messaging software.

Conclusion

Neither Google Play nor App Store can guarantee the safety of all their apps. There are simply too many new apps every day. Blind trust can be disastrous, so be aware of the dangers of phishing. The mobile app landscape has always been treacherous, but with the help of AI, cybercriminals are becoming more adept at social engineering techniques. Do we need all those mobile phone apps? Delete unused apps regularly, and don’t let a polished user interface act fool you into installing malware.

Related Items:, ,

Recommended for you

The Latest

Latest Technology Innovations, Reviews and Gadgets

Leading tech magazine that keeps you updated about the latest technology news, Innovations, gadget, game, and much more. Best site to get in-depth coverage on the tech industry today. We are a leading digital publisher to explore recent technology innovations, product reviews, and gadgets guide.

Copyright © 2018 Article Farmer.

To Top