Cyber-Threat Actor uses booby-trapped VPN app to deploy Android spyware

Adware and other unwanted and potentially risky applications continue to pose the biggest threat that mobile device users face today. But that doesn’t mean attackers aren’t constantly trying to deploy other sophisticated mobile malware as well.

The latest example is “SandStrike”, a booby-trapped VPN app for loading spyware onto Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.

The security vendor said its researchers observed SandStrike operators attempt to deploy the sophisticated spyware to devices belonging to members of Iran’s Baha’i community, a persecuted and persecuted minority group. But the vendor did not disclose how many devices the threat actor may have targeted or successfully infected. Kaspersky could not immediately be reached for comment.

Develop social media lures

To trick users into downloading the weaponized app, the threat actors created multiple Facebook and Instagram accounts, all of which claim to have over 1,000 followers. Social media accounts are full of what Kaspersky described as attractive religious-themed graphics designed to grab the attention of members of the targeted religious group. The accounts also often contain a link to a Telegram channel that offers a free VPN app for users wishing to access sites containing prohibited religious material.

According to Kaspersky, the threat actors even set up their own VPN infrastructure to make the app fully functional. But when a user downloads and uses SandStrike, it quietly collects and exfiltrates sensitive data associated with the owner of the infected device.

The campaign is just the latest in a growing list of spy efforts involving advanced infrastructure and mobile spyware – an arena that includes well-known threats like NSO Group’s notorious Pegasus spyware as well as issues emerging like Hermit.

Mobile malware on the rise

The booby-trapped SandStrike VPN app is one example of the growing range of malicious tools being deployed on mobile devices. Research published by Proofpoint earlier this year found a 500% increase in attempts to spread mobile malware in Europe during the first quarter of this year. This increase follows a sharp decline in attack volumes towards the end of 2021.

The email security vendor found that many of the new malicious tools are capable of much more than just stealing credentials: “Recent detections have involved malware capable of recording audio phone and non-phone video, track location, and destroy or erase content and data.”

The official mobile app stores of Google and Apple continue to be a popular vector for spreading mobile malware. But threat actors are also increasingly using SMS phishing campaigns and social engineering scams like the SandStrike campaign to trick users into installing malware on their mobile devices.

Proofpoint also found that attackers target Android devices significantly more than iOS devices. One of the main reasons is that iOS doesn’t allow users to install an app through an unofficial third-party app store or download it directly to the device like Android does, Proofpoint said.

Different Types of Mobile Malware in Circulation

Proofpoint has identified the top mobile malware threats like FluBot, TeaBot, TangleBot, MoqHao, and BRATA. The various features incorporated into these malicious tools include stealing data and credentials, stealing funds from online accounts, and general spying and surveillance. One such threat – FluBot – has remained largely silent since its infrastructure was disrupted in a coordinated law enforcement action in June.

Proofpoint found that mobile malware is not limited to a specific region or language. “Instead, threat actors are adapting their campaigns to a variety of languages, regions, and devices,” the company warned.

Meanwhile, Kaspersky said it blocked some 5.5 million malware, adware and riskware attacks targeting mobile devices in the second quarter of 2022. More than 25% of these attacks involved adware, making it the most common mobile threat today. But other notable threats included mobile banking trojans, mobile ransomware tools, SandStrike spyware link and malware downloaders. Kaspersky has discovered that the creators of some malicious mobile apps are increasingly targeting users from multiple countries at once.

The trend of mobile malware poses a growing threat to businesses, especially those that allow unmanaged and privately owned devices into the workplace. Last year, the US Cybersecurity and Infrastructure Security Agency (CISA) released a checklist of steps organizations can take to address these threats. Its recommendations include the need for organizations to implement security-focused mobile device management; to ensure that only trusted devices are allowed to access apps and data; use strong authentication; to disable access to third-party app stores; and to ensure that users only use curated app stores.

About Madeline Powers

Check Also

Apple strikes with class action lawsuit over mobile app activity tracking

Apple Inc. records users’ private activity on mobile apps without their consent and despite its …