WhatsApp Users Have Data Stolen via Fake "SafeChat" App

Cybersecurity firm CYFIRMA has uncovered a sophisticated spear messaging campaign targeting WhatsApp users in South Asia. The attack involves leading users to install a malicious Android app named "SafeChat". The app then stealthily steals sensitive user data, including call logs, texts, and GPS locations, leaving victims vulnerable to privacy breaches and espionage.

Researchers at CYFIRMA have attributed this cyberattack to the Indian Advanced Persistent Threat (APT) group, “Bahamut”, which has been known for state-sponsored activities. This latest campaign by Bahamut bears striking resemblances to a previous attack by the APT group 'DoNot' (APT-C-35), which also employed fake chat apps as spyware.

The SafeChat app is distributed to victims via WhatsApp, where they are deceived into believing it is a genuine chat application. The attack unfolds in several stages:

1. The victim is lured into installing "SafeChat," which masquerades as a legitimate chat app with a deceiving user interface.

2. Upon installation, the app requests exclusion from Android's battery optimization, allowing the spyware to run in the background indefinitely, even when not actively used.

3. Once accepted, the app lets you sign up.

4. It then seeks permissions to access Accessibility Services, which allows the app to track activity on screen, including user keystrokes.

5. The app proceeds to interact with other chat applications already installed on the device, stealing valuable data such as chat messages and media files. It’ll also access call logs on the device, GPS information, SMS messages, and more.

6. The stolen data is encrypted and transmitted to the attacker's command-and-control server, cloaking the operation in anonymity and evading detection.

The sophisticated nature of the attack, combined with previous incidents involving APT Bahamut, strongly indicates the group's operation within Indian territory acting on behalf of a specific state government.

CYFIRMA's analysts have expressed concern over the app's high-level permissions compared to similar instances of malware. This, coupled with the clear targeting of WhatsApp users in the South Asia region, has raised alarms within the cybersecurity community.

WhatsApp users are advised to take precautionary measures to safeguard their data:

1. Download apps only from official sources such as Google Play Store to minimize the risk of encountering fake and malicious applications.

2. Be cautious of apps requesting unnecessary permissions and ensure they are relevant to the app's functionality.

3. Keep devices updated with the latest software and security patches to strengthen protection against vulnerabilities.

4. Consider installing reputable antivirus or security apps to scan for malware and potential threats.

While the exact extent of the data breach remains undisclosed, the scale and nature of the attack demand heightened vigilance from users in the region. Authorities and cybersecurity experts are closely monitoring the situation to prevent further data compromises.