Fraudulent Android chat app leveraged in new Bahamut attack

New social engineering attacks by Indian advanced persistent threat group Bahamut have involved the fraudulent Android chat app SafeChat to facilitate a version of the CoverIm spyware aimed at exfiltrating mobile device data, according to BleepingComputer. Attackers have leveraged spear-phishing messages on WhatsApp to lure targets into downloading SafeChat, which is being touted as a more secure communications platform, with the fake app then exploiting Accessibility Services to obtain contacts list, call log, SMS, and external device storage access, as well as facilitate precise GPS location data retrieval and Android battery optimization subsystem exclusions, a report from Cyfirma revealed. SafeChat has also been designed to monitor other installed chat apps in the compromised device while a module with RSA, OAEPPadding, and ECB support, as well as a "letsencrypt" certificate, have been used to enable data encryption efforts. Such an intrusion has been found to resemble the activities of Indian state-backed hacking operation DoNot APT, also known as APT C-35.