Heads up, Android users! If you have recently installed any “Safe Chat” apps for your secret chats, delete it immediately. Researchers have warned of this fake chat app aiming to steal Android users’ data.
Fake Chat Apps Actively Targeting Android Users
Researchers from CYFIRMA have recently shared details about a new malware campaign targeting Android users. As explained in their post, the malicious campaign targets Android users via a fake chat app named ‘Safe Chat.’
The attack begins when the attackers trick the target users into downloading the Safe Chat app via WhatsApp phishing. Once downloaded, the fake app wins the victim user’s trust by displaying legit-looking pages and numerous permission requests. However, in the background, the app’s malware stealthily infiltrates the devices.
Following the download, the app first shows a landing page with the text “Initializing secure connection.” and a shield icon. With this step, the app tricks the user into believing it is a secure chat app. It then displays numerous popups requesting permissions regarding battery optimization and running the app in the background.
After granting these permissions, the user then sees a login page for registering with the app, followed by another permission popup, clicking which takes the user to the device’s Accessibility settings. At this point, the app requires the user to grant accessibility permissions, denying which makes the app prompt the permission popup repeatedly.
Once granted, the malicious app can exploit this permission for screen recording. Whereas the user never gets an idea about the sneaky malicious activity going on as the app displays a simple dummy page for the user to add contacts and start chatting.
Reviewing the app code made the researchers find numerous malicious capabilities. For instance, the app requests several dangerous permissions, such as access to the device’s location, contacts, SMS messages, file storage, and call logs. Besides, it interacts with the other installed chat apps, which shows that the malware may steal data from other secure chat apps like WhatsApp, Signal, Telegram, or Facebook Messenger.
The malware then transmits all stolen data to its C&C via port 2053.
Victims Include South Asian Users
The researchers have traced back this malicious campaign to the APT Bahamut – a threat actor group known since 2017 for targeting users in South Asia and the Middle East. CYFIRMA also highlighted that Bahamut’s activities resemble another APT “DoNot” – a presumably state-backed Indian threat actor group.
Bahamut APT predominantly aims at individual users, and this particular campaign likely spread through WhatsApp. Hence, the key to preventing this malware attack is to avoid interacting with links sent from unknown sources. Users must stay wary when receiving abrupt links, app invites, and attachments from known sources or their contacts. Ideally, users must confirm the legitimacy of the message from the supposed known source via some other means before clicking the link or accepting an app invite.
Let us know your thoughts in the comments.