Indian hacker group Bahamut has been found to use a fake Android application called Safechat to spread spy software. The malicious program steals call logs, text messages, and locations from mobile devices.
According to Cyfirma researchers, the spy software is believed to be a variation of the program used by the hacker group Donot APT (APT-C-35). Both groups target residents of South Asia and have similar working methods.
The Safechat application is designed to appear like a legitimate messenger, fooling users into believing it is safe. The registration process further adds to the app’s credibility. However, it acts as a cover for the installation of malicious software.
One important step in the infection process is obtaining permissions for the use of accessibility services, which are then exploited to automatically grant additional spy permissions.
These permissions allow the spyware to access the user’s contact list, SMS messages, call logs, external storage, and location.
The application also prompts users to disable battery optimization, which prevents background processes from running when the user is not interacting with the app.
The stolen data is encrypted using RSA, ECB, and OAEPAPADING, and is transmitted from the infected device to the attackers’ server through Port 2053. The hackers also employ the “Letsencrypt” certificate to bypass any attempts to intercept network data.
Cyfirma suggests that there may be a connection between Bahamut and a specific state body in India. Furthermore, the use of the same certificate as the Donot APT group, along with similar data theft methods and the use of Android applications, indicate possible collaboration between these two groups.