Security News > 2022 > November > Hackers modify popular OpenVPN Android app to include spyware
A threat actor associated with cyberespionage operations since at least 2017 has been luring victims with fake VPN software for Android that is a trojanized version of legitimate software SoftVPN and OpenVPN. Researchers say that the campaign was "Highly targeted" and aimed at stealing contact and call data, device location, as well as messages from multiple apps.
ESET malware analyst Lukas Stefanko says that Bahamut repackaged the SoftVPN and OpenVPN apps for Android to include malicious code with spying functions.
To hide their operation and for credibility purposes, Bahamut used the name SecureVPN and created a fake website to distribute their malicious app.
ESET's researcher discovered eight versions of Bahamut's spying VPN app, all with chronological version numbers, suggesting active development.
All fake apps included code observed only in operations attributed to Bahamut in the past, such as the SecureChat campaign documented by cybersecurity companies Cyble and CoreSec360 [1, 2]. It is worth noting that none of the trojanized VPN versions were available through Google Play, the official repository for Android resources, another indication of the targeted nature of the operation.
Some threat actor groups Bahamut has been associated with include Windshift and Urpage.