Cybercriminals are using a fake Android messaging app called ‘SafeChat’ to infect devices and install malware to steal call logs, texts, and GPS locations. This malware steals data from other messaging apps such as Telegram, Signal, WhatsApp, Viber, and Messenger.
Researchers at CYFIRMA discovered this Android malware targeting people in the South Asia region. As per their analysis, the Indian APT hacking group ‘Bahamut’ is behind this malware campaign. This fake app is suspected to use Coverlm malware.
The app has a nice user interface that makes people believe that it is a legit messaging app. Once the app is opened, it Shows a landing page where it notifies users that they are using a secure chatting app. Then it asks users to provide the necessary permissions. Once the user allows all the permission the app asks for, the app starts working even when the app is minimized or closed.
After allowing permissions, the app lets users sign up or log in. Once the user proceeds with this step, the app again asks for permission. This time, allowing the permission takes the user to the accessibility page and asks to enable accessibility for the Safe Chat app. This option let the SafeChat app capture activity on the screen including keystrokes.
Cyfirma has published a detailed report with code analysis. If you are in understanding how this malware actually works, you can read that report. At the end of the report, CYFIRMA concludes that Bahamut is acting on behalf of one nation state government. We are not sure if this is true and cannot say if CYFIRMA researchers are right or wrong in this case.
