Similarities with DoNot APT Group

CYFIRMA’s analysts have noted intriguing similarities between Bahamut and the ‘DoNot APT’ (APT-C-35) group, another Indian state-sponsored threat actor. The latter group has a history of infesting Google Play with fake chat apps functioning as spyware. The connections between the two groups suggest a possible collaboration or overlap in their activities.

Safe Chat: A Closer Look

The ‘Safe Chat’ app follows a cunning social engineering approach to lure victims into installing it. The app’s interface convincingly mimics a genuine chat platform, and the victim is taken through a seemingly legitimate user registration process to create a fa├žade of authenticity.

  • The Acquisition of Permissions: A critical step in the infection process involves the app gaining permissions to use Accessibility Services, which are then exploited to grant the spyware even more extensive access to the device.
  • Expanded Spyware Permissions: Once granted, the spyware gains access to the victim’s contacts list, SMS, call logs, external device storage, and precise GPS location data.
  • Android’s Battery Optimization: The app requests users to exempt it from Android’s battery optimization subsystem, allowing it to continue operating in the background even when not actively used.

Monitoring Other Chat Apps

The Android Manifest file reveals that the app is designed to interact with other installed chat applications through specific directories and OPEN_DOCUMENT_TREE permissions. This adds a layer of complexity to the spyware’s capabilities.

Data Exfiltration and Encryption

A dedicated data exfiltration module enables the spyware to transfer stolen information to the attacker’s C2 server via port 2053. The stolen data is encrypted using various techniques, including RSA, ECB, and OAEPPadding. Additionally, a “letsencrypt” certificate is used to evade interception efforts by network security.

Bahamut: Working on Behalf of a State Government

Based on extensive evidence, CYFIRMA asserts that Bahamut is likely operating on behalf of a specific state government in India. The group’s activities, combined with their use of the same certificate authority as the DoNot APT group, further support this conclusion.

For the full article, click here: