SafeChat Spyware Compromises Android Libraries to Exfiltrate Sensitive User Data

An Android spyware known as SafeChat designed specifically to target users in the South Asia region was recently discovered by security researchers at CYFIRMA.

The Singapore-based cybersecurity company in an advisory revealed that the dubious Android chatting app is the creation of the Indian Advanced Persistent Threat (APT) group ‘’Bahamut’’. Active since 2017, the hacking group is known to employ espionage and phishing campaigns via malicious Android and iOS applications.

Initially named Coverlm, the spyware has the ability to interact with and steal data from other already installed messenger applications like Telegram, Signal, Facebook Messenger, etc. Moreover, it can also exploit Android libraries to steal contacts, call logs, device details, keystrokes, GPS location, and interpret texts from victims’ mobile devices.

Social engineering tactic details of the attack were not revealed by CYFIRMA; however, the advisory revealed that the spear phishing campaign typically begins with the spyware being directly delivered to the unsuspecting victim through WhatsApp.

The payload SafeChat disguised as an authentic chatting application deceives the target into installing the app under the guise of moving onto a more secure messaging platform. To add credibility, the cleverly designed interface takes the victim through an apparent legitimate registration process.

It also requires the user to grant various permissions that are later abused by the attacker to extract and transfer sensitive information to a command and control (C2) server. The spyware also requires the victim to approve the battery optimization service which allows the app to communicate uninterrupted with the C2 server.

The stolen data is encrypted and stored by the attacker using modules that support RSA, ECB, and OAEPPadding. In addition, a letsencrypt certificate is used to dodge any network interception methods employed against them.

CYFIRMA researchers’ analysis also revealed that the threat actors behind this campaign have ties to the Indian territory with links to a particular nation state government. Their research also revealed an association between Bahamut and the notorious APT group DoNot. Both were seen to employ similar attack techniques and tactics, use of Android malware, and a common target region.