State-backed Iranian hackers spread malware through links to fake VPN apps

Iran flag on a laptop screen
(Image credit: Shutterstock)

A highly resourceful Iranian state-backed hacker group uses malicious links to VPN apps sent via SMS texts to inject spyware, a cybersecurity firm reports. 

Mandiant found evidence that APT42 (advanced persistent threat) has been conducting such attacks against what they described as "the enemies of the Iranian state" since 2015, with the goal of harvesting sensitive data and spying on victims. 

They also claim with "moderate confidence" that the group is aligned with the Islamic Revolutionary Guard Corps Intelligence (IRGC-IO), who Washington designates as a terrorist organization. 

This malware is not just spread hidden behind the reputation of some of the best VPN services, though. Well-crafted phishing emails, mischievous webpages to free messaging apps and adult-only sites have also been employed.  

Mobile malware to pose worrying real-world risks

As Mandiant reports: "The use of Android malware to target individuals of interest to the Iranian government provides APT42 with a productive method of obtaining sensitive information on targets, including movement, contacts, and personal information.

"The group's proven ability to record phone calls, activate the microphone and record the audio, exfiltrate images and take pictures on command, read SMS messages, and track the victim's GPS location in real-time poses a real-world risk to individual victims of this campaign." 

Researchers observed over 30 confirmed operations across 14 countries worldwide so far, spanning its seven years of activity. However, they believe the total number to be much larger than that. 

Western think tanks, researchers, journalists, current Western government officials, former Iranian government officials, dissidents and the Iranian diaspora abroad have all been amongst the victims of such attacks. 

Data harvesting and surveillance operations

APT42's campaigns have two main goals: gathering targets' sensitive data like personal email credentials, multi-factor authentication codes and private communication records, while tracking victims' location data to carry on major surveillance operations.      

The group's cunning playbook is gaining the trust of targets, engaging in conversation that can even last several weeks before finally sending the phishing email. In an instance, hackers pretended to be journalists working for a famous US media outlet for 37 days before launching the attack. 

In the case of mobile malware, APT42 have been successfully targeting internet users that were looking for circumventing tools to bypass the strict government restrictions. And, being that over 80% of Iranians uses such software to escape online censorship, citizens' safety seems never been so at stake.

The Mandiant report further pointed out how the group - believed to be also linked to the infamous APT35 that last year managed to infiltrate Play Store with fake VPN apps - has been proficient at quickly shaping its strategies and targets to align with Iran's domestic and geopolitical interests.

"We assess with high confidence that APT42 will continue to perform cyber espionage and surveillance operations aligned with evolving Iranian operational intelligence collection requirements."

TOPICS
Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com