SafeChat Mobile Malware Targets Mobile IM Services

Hackers have been identified using a deceptive Android messaging app, referred to as SafeChat, to conduct espionage on unsuspecting targets. The malicious app, believed to be associated with the Indian APT hacking group known as Bahamut, focuses on popular communication platforms like Signal and WhatsApp, extracting sensitive information such as call logs, messages, and GPS locations from compromised smartphones.

This sophisticated hacking campaign has raised concerns among users of communication applications. The spyware embedded within SafeChat, suspected to be a variant of "Coverlm", specifically targets messaging services like Telegram, Signal, WhatsApp, Viber, and Facebook Messenger, enabling the hackers to exploit vulnerabilities and obtain valuable user data.

Bahamut's recent attacks mainly rely on spear phishing messages sent through WhatsApp. These messages act as a delivery mechanism for the malicious payloads, allowing the spyware to infiltrate users' devices seamlessly. Victims are lured into installing SafeChat under the guise of transitioning to a more secure platform, falling prey to its deceptive interface and registration process.

SafeChat Obtains Excessive Permissions

To appear genuine, SafeChat employs social engineering tactics, gaining the victim's trust while acquiring permissions to use the Accessibility Services, which play a crucial role in the infection process. By exploiting these permissions, the spyware gains access to the victim's contacts, SMS, call logs, external device storage, and precise GPS location data.

Notably, the malware can also interact with other chat applications already installed on the device, using intents and specific directories to potentially extract data from these apps as well.

After gathering the stolen data, the spyware securely transmits it to the attackers' Command and Control (C2) server via port 2053. To avoid detection, the stolen data is encrypted using RSA, ECB, and OAEPPadding, while a "letsencrypt" certificate is employed by the attackers to counter network data interception efforts against them.

Researchers from CYFIRMA have accumulated enough evidence to link Bahamut's activities to a specific state government in India, drawing similarities with another Indian state-sponsored threat group, the DoNot APT (APT-C-35). The shared use of certificate authorities, data stealing methodologies, and target scope strongly indicate a close collaboration between the two groups.