A counterfeit Android messaging app named “SafeChat” is stealing user data from well-known messaging platforms such as Signal and WhatsApp. This sophisticated Android malware, posing as a secure messaging tool, has been specifically targeting users within the South Asian region. The suspected orchestrators of these attacks are believed to be the Indian APT group referred to as Bahamut.

SafeChat: Ironically Unsafe App Stealing Data from WhatsApp and Signal

This malicious software is suspected to be a variation of the notorious CoverIm malware. Coverlm is notorious for its capacity to pilfer information from different communication apps. The Bahamut APT group, possesses a track record of disseminating malware by means of fraudulent apps.

How This App Is Getting Into Peoples Phones

The cybercriminals behind the data stealing SafeChat malware are propagating links for app installation through phishing messages on WhatsApp. They successfully convince their victims that they are migrating to a more secure platform. The application boasts a deceptive interface that mirrors the appearance of legitimate chat apps. Thereby inducing unwary users to trust its authenticity.

Start off your week with tech news recap and trending conversations in your inbox

Enter valid email-id

Subscribe

I prefer it on Telegram

It further misleads victims by guiding them through a seemingly genuine user registration process, thereby heightening its credibility as a genuine chat app.

Upon installation, the app solicits a range of permissions. This includes

• Accessibility Services access
• Contact lists
• SMS contents, call logs
• Storage access
• GPS location data

Clarification of Select Permissions Granted:

Sr.no	Permissions	Descriptions
1	ACESS_FINE_LOCATION	Allows malevolent actors to acquire precise location data and monitor the real-time movement of devices.
2	READ_CONTACTS	Grants access to read and retrieve contact information.
3	READ_EXTERNAL_STORAGE	Provides access to the mobile device’s file storage.
4	READ_SMS	Authorizes access to all SMS messages on the device.
5	READ_CALL_LOG	Facilitates access to call logs.
6	READ_CONTACTS	Enables the reading of all saved contacts on the device.

Source: CYFIRMA

With Accessibility Services access, the hackers secure control over the victim’s device. This then grants them the capability to extract sensitive data.

Subsequently Extracted Data

Additionally, the app demands exclusion from Android’s battery optimization subsystem, ensuring that it operates inconspicuously in the background. this happens even when user engagement is dormant. This persistence empowers the malware to sustain its malicious actions without detection.

Potential State-Sponsored Threat Entity?
Researchers at CYFIRMA have linked the Bahamut APT group to a particular state government within India. Noteworthy resemblances emerge between this group and another notorious APT group, labeled as ‘DoNot APT’ (APT-C-35). The latter has previously infested Google Play with sham chat apps designed as spyware, even utilizing the same certificate authority.

Both factions employ analogous techniques for data theft and share a common target scope. This suggests a significant degree of collaboration or intersection between the two entities. The potential state-sponsored nature of these incursions amplifies concerns and emphasizes the urgency for heightened security measures.

Bolstering Defenses Against SafeChat Malware

As users, adopting proactive measures becomes imperative to shield oneself from the perils of SafeChat malware and akin threats. Here are pragmatic recommendations to fortify your security posture:

• Select Trustworthy Sources for App Downloads.
• Scrutinize App Permissions Assiduously
• Maintain Current Software Versions
• Deploy Security Apps
• Taking Action and Reporting
• Should you harbor suspicions regarding SafeChat malware infiltration on your device, swift action is imperative. Uninstall the App
• Alter Passwords
• Perform a Malware Scan
• Report the Incident