This malicious VPN targets Android devices with spyware

Trojan
(Image credit: wk1003mike / Shutterstock)

Followers of a small and relatively new religion developing in Iran and parts of the Middle East are being targeted by spyware delivered via a malicious VPN service, according to new findings from Kaspersky.

In its report, the company says practitioners of the Baháʼí Faith are being targeted with SandStrike spyware, which is being delivered to their endpoints via a malicious, unnamed VPN service. 

Whoever is behind the attack has set up several Facebook pages and groups, Instagram accounts, and a Telegram channel that claim to promote the teachings of the Baháʼí Faith to lure in as many believers (and other curious people) to join. However, the accounts are used to promote the VPN service, under the pretense that it can be used to bypass censorship of religious materials in certain regions.

Legitimate VPN

The download links are distributed via Telegram, where its groups have more than 1,000 followers, Kaspersky says.

The VPN app being advertised is functional, and works as intended, the researchers found. They also said it even has its own VPN infrastructure, but installing the client also installs the SandStrike spyware, which exfiltrates sensitive, or personally identifiable information, to the attackers. 

The data SandStrike collects includes call logs and contact lists, but it will also monitor the device in its entirety, to better keep track of the victim’s behavior.

Android spyware is a common threat, but the attackers are usually hunting for payment data, cryptocurrency wallets, and similar. In fact, an updated version of the Banker Android spyware was detected in late September 2022. This spyware steals the victim's banking details and possibly even money in some cases. 

According to cybersecurity researchers from Microsoft, an unknown threat actor has initiated a smishing campaign (SMS phishing), through which it tries to trick people into downloading TrojanSpy:AndroidOS/Banker.O. This is a malware variant that’s capable of extracting all sorts of sensitive information, including two-factor authentication (2FA) codes, account login details, and other personally identifiable information (PII). 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.