An espionage-related threat actor has been luring victims since at least 2017 with fake vpn software for Android that is a trojanized version of the legitimate softvpn and openvpn software.

Researchers say the campaign was "highly targeted" and aims to steal contact and call information, device location, and also messages from several apps.

VPN service impersonation

The team is known as an advanced threat agent that leave a mark with the name of Bahamut.

ESET malware analyst, Lukas Stefanko says Bahamut redesigned the SoftVPN and OpenVPN apps for Android to include malicious code with spying functions.

By doing so, the hacker ensured that the app would still provide VPN functionality to the victim while extracting sensitive information from the mobile device.

To hide the spying process and maintain appearances, Bahamut used the name (SecureVPN, which is a legitimate VPN service) and created a fake website [thesecurevpn] to distribute its malware.

Hackers' fake VPN app can access contacts, call logs, location details, text messages, spy on chats on messaging apps like Signal, WhatsApp, Telegram, and Facebook Messenger, and also collect a list of files on external storage, Stefanko says.

ESET experts discovered eight versions of the Bahamut VPN spyware, all with version numbers that indicate the program's active development.

All of the fake apps contained code that had only been seen in operations attributed to Bahamut in the past, such as the SecureChat campaign documented by cybersecurity firms Cyble and CoreSec360.

All of the fake apps contained code that had only been seen in operations attributed to Bahamut in the past, such as the SecureChat campaign documented by cybersecurity firms Cyble and CoreSec360.