Hackers exploit Android chat app to steal Signal and WhatsApp user data

Emre Çitak
Aug 2, 2023
Google Android

Hackers have been found using a deceptive Android chat app, known as ''SafeChat'', to conduct espionage on unsuspecting victims. The spyware embedded within this malicious app targets popular communication platforms like Signal and WhatsApp, extracting sensitive data such as call logs, texts, and GPS locations from infected smartphones.

Researchers have attributed this sophisticated hacking campaign to the Indian APT hacking group named ''Bahamut'', who have previously demonstrated a track record of using fake apps to steal user information.

Android chat app malware SafeChat
SafeChat originates from the Indian APT hacking group Bahamut (Image credit)

SafeChat is a serious threat to privacy

The Android spyware embedded in the ''SafeChat'' app has emerged as a significant threat to users of communication applications. The malware, suspected to be a variant of "Coverlm," specifically targets popular messaging services like Telegram, Signal, WhatsApp, Viber, and Facebook Messenger. This allows the hackers to exploit vulnerabilities and extract valuable user data.

Bahamut's latest attacks primarily employ spear phishing messages on WhatsApp. These messages serve as a delivery mechanism for the malicious payloads, enabling the spyware to infiltrate users' devices seamlessly. Victims are lured into installing ''SafeChat'' under the pretext of transitioning their conversations to a more secure platform, falling prey to the deceptive interface and registration process.

SafeChat employs social engineering tactics to appear as a legitimate chat app, thereby gaining the victim's trust. Its user registration process adds credibility to the façade, while the acquisition of permissions to use the Accessibility Services plays a critical role in the infection process. By exploiting these permissions, the spyware gains access to the victim's contacts list, SMS, call logs, external device storage, and precise GPS location data.

Android chat app malware SafeChat
Malware interacts with many popular Android apps (Image credit)

It does interact with other chat apps

A noteworthy aspect of the malware is its capability to interact with other chat applications already installed on the device. By utilizing intents and specific directories, the spyware can monitor and potentially extract data from these apps as well.

Once the spyware collects the stolen data, it is transferred to the attacker's Command and Control (C2) server via port 2053. To evade detection, the stolen data is encrypted using RSA, ECB, and OAEPPadding. Additionally, the attackers employ a "letsencrypt" certificate to counter network data interception efforts against them.

Read alsoGoogle Play Store malware installed on 1.5 million Android devices.

Could be state-sponsored

Researchers from CYFIRMA have gathered enough evidence to link Bahamut's activities to a specific state government in India. This conclusion is based on shared characteristics with another Indian state-sponsored threat group, the ''DoNot APT'' (APT-C-35).

The overlapping use of certificate authorities, data stealing methodologies, and target scope all indicate a close collaboration between the two groups.

Featured image: Freepik.


Tutorials & Tips

Previous Post: «
Next Post: «


There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.