Hackers Are Stealing User Data Through a Fake Android Chat App
2 min. read
Updated on
Share this article
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Hackers are using a fake app called Safe Chat to gain access to user data belonging to Android users in South Asia.
They steal data such as call logs, text messages, contacts, and GPS location from WhatsApp and other apps.
More on Safe Chat
Cybersecurity company Cyfirma examined Safe Chat and found it to be just a cover for spyware functions.
It features a deceiving interface that resembles other popular chat apps. Hackers designed it this way to add credibility and attract more victims.
One of the things the app asks for during the setup process is permission to use Accessibility Services. Safe Chat abuses this and grants its spyware access to more data than similar apps require.
Once the spyware is activated, it starts stealing information such as call logs, text messages, contacts lists, external device storage, and even the user’s GPS location.
Another thing Safe Chat requires is exclusion from Android battery optimization. This lets the app operate even when the device owner isn’t actively engaging with it.
When the user grants permission, the spyware starts interacting with other apps on the device, such as WhatsApp.
The app then encrypts the info it steals. Cyfirma reports that the attackers also use a letsencrypt certificate to make sure no network data interceptions occur.
The researchers said that Safe Chat is a variant of Coverlm, which hackers previously used to steal WhatsApp, Signal, Telegram, Viber, and Facebook Messenger data.
Cybersecurity experts and the authorities in South Asia have urged users to protect their digital assets the best they can.
With threats like this out there, it’s extremely important for users to secure their Android devices and be mindful when installing new apps.
The group behind the attack
Cyfirma discovered that the hacker group APT Bahamut is responsible for these attacks.
The nature of the scheme aligns with the previous incidents these malware distributors were involved in.
According to Cyfirma, this could mean that the purpose of the attacks is to serve the interests of one nation-state government.
APT Bahamut perpetrated similar attacks against Khalistan supporters and military establishments in Pakistan.
One of its earlier schemes involved distributing fake Android VPNs that came with various spyware functions.
The hackers built trojanized versions of SoftVPN and OpenVPN and used them to extract the same information they now do with Safe Chat.
