This App May Be Stealing Data From Your WhatsApp, Delete It Now

Hackers-coronavirus-maps App Stealing Data WhatsApp
Image courtesy ComputerWorld

A counterfeit Android messaging app named “SafeChat” is stealing user data from well-known messaging platforms such as Signal and WhatsApp. This sophisticated Android malware, posing as a secure messaging tool, has been specifically targeting users within the South Asian region. The suspected orchestrators of these attacks are believed to be the Indian APT group referred to as Bahamut.

SafeChat: Ironically Unsafe App Stealing Data from WhatsApp and Signal

This malicious software is suspected to be a variation of the notorious CoverIm malware. Coverlm is notorious for its capacity to pilfer information from different communication apps. The Bahamut APT group, possesses a track record of disseminating malware by means of fraudulent apps.

How This App Is Getting Into Peoples Phones

The cybercriminals behind the data stealing SafeChat malware are propagating links for app installation through phishing messages on WhatsApp. They successfully convince their victims that they are migrating to a more secure platform. The application boasts a deceptive interface that mirrors the appearance of legitimate chat apps. Thereby inducing unwary users to trust its authenticity.

It further misleads victims by guiding them through a seemingly genuine user registration process, thereby heightening its credibility as a genuine chat app.

Upon installation, the app solicits a range of permissions. This includes

  • Accessibility Services access
  • Contact lists
  • SMS contents, call logs
  • Storage access
  • GPS location data

Clarification of Select Permissions Granted:

1ACESS_FINE_LOCATIONAllows malevolent actors to acquire precise location data and monitor the real-time movement of devices.
2READ_CONTACTSGrants access to read and retrieve contact information.
3READ_EXTERNAL_STORAGEProvides access to the mobile device’s file storage.
4READ_SMSAuthorizes access to all SMS messages on the device.
5READ_CALL_LOGFacilitates access to call logs.
6READ_CONTACTSEnables the reading of all saved contacts on the device.


With Accessibility Services access, the hackers secure control over the victim’s device. This then grants them the capability to extract sensitive data.

Subsequently Extracted Data

Additionally, the app demands exclusion from Android’s battery optimization subsystem, ensuring that it operates inconspicuously in the background. this happens even when user engagement is dormant. This persistence empowers the malware to sustain its malicious actions without detection.

Potential State-Sponsored Threat Entity?
Researchers at CYFIRMA have linked the Bahamut APT group to a particular state government within India. Noteworthy resemblances emerge between this group and another notorious APT group, labeled as ‘DoNot APT’ (APT-C-35). The latter has previously infested Google Play with sham chat apps designed as spyware, even utilizing the same certificate authority.

Both factions employ analogous techniques for data theft and share a common target scope. This suggests a significant degree of collaboration or intersection between the two entities. The potential state-sponsored nature of these incursions amplifies concerns and emphasizes the urgency for heightened security measures.

Bolstering Defenses Against SafeChat Malware

As users, adopting proactive measures becomes imperative to shield oneself from the perils of SafeChat malware and akin threats. Here are pragmatic recommendations to fortify your security posture:

  • Select Trustworthy Sources for App Downloads.
  • Scrutinize App Permissions Assiduously
  • Maintain Current Software Versions
  • Deploy Security Apps
  • Taking Action and Reporting
  • Should you harbor suspicions regarding SafeChat malware infiltration on your device, swift action is imperative. Uninstall the App
  • Alter Passwords
  • Perform a Malware Scan
  • Report the Incident

Explained: Why Does Electricity Go Off When it Starts Raining?

You may also like


  1. Yes i’ve been a victim several times

  2. Luckily my phone doesn’t have this app! It’s so dangerous. build now gg

Leave a reply

Your email address will not be published. Required fields are marked *