This malicious VPN targets Android devices with spyware

News
By Sead Fadilpašić
published

Followers of a small religion are being targeted

Trojan
(Image credit: wk1003mike / Shutterstock)

Followers of a small and relatively new religion developing in Iran and parts of the Middle East are being targeted by spyware delivered via a malicious VPN service, according to new findings from Kaspersky.

In its report, the company says practitioners of the Baháʼí Faith are being targeted with SandStrike spyware, which is being delivered to their endpoints via a malicious, unnamed VPN service. 

Whoever is behind the attack has set up several Facebook pages and groups, Instagram accounts, and a Telegram channel that claim to promote the teachings of the Baháʼí Faith to lure in as many believers (and other curious people) to join. However, the accounts are used to promote the VPN service, under the pretense that it can be used to bypass censorship of religious materials in certain regions.

Legitimate VPN

The download links are distributed via Telegram, where its groups have more than 1,000 followers, Kaspersky says.

The VPN app being advertised is functional, and works as intended, the researchers found. They also said it even has its own VPN infrastructure, but installing the client also installs the SandStrike spyware, which exfiltrates sensitive, or personally identifiable information, to the attackers. 

The data SandStrike collects includes call logs and contact lists, but it will also monitor the device in its entirety, to better keep track of the victim’s behavior.

Read more

> These Android spyware apps are spreading like wildfire

> This dangerous Android spyware could affect millions of devices

> These are the best firewalls right now

Android spyware is a common threat, but the attackers are usually hunting for payment data, cryptocurrency wallets, and similar. In fact, an updated version of the Banker Android spyware was detected in late September 2022. This spyware steals the victim's banking details and possibly even money in some cases. 

According to cybersecurity researchers from Microsoft, an unknown threat actor has initiated a smishing campaign (SMS phishing), through which it tries to trick people into downloading TrojanSpy:AndroidOS/Banker.O. This is a malware variant that’s capable of extracting all sorts of sensitive information, including two-factor authentication (2FA) codes, account login details, and other personally identifiable information (PII). 

Via: BleepingComputer

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.