We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

WhatsApp Users Have Data Stolen via Fake "SafeChat" App

WhatsApp Users Have Data Stolen via Fake
Zane Kennedy Published on 8th August 2023 Cybersecurity Researcher

Cybersecurity firm CYFIRMA has uncovered a sophisticated spear messaging campaign targeting WhatsApp users in South Asia. The attack involves leading users to install a malicious Android app named "SafeChat". The app then stealthily steals sensitive user data, including call logs, texts, and GPS locations, leaving victims vulnerable to privacy breaches and espionage.

Researchers at CYFIRMA have attributed this cyberattack to the Indian Advanced Persistent Threat (APT) group, “Bahamut”, which has been known for state-sponsored activities. This latest campaign by Bahamut bears striking resemblances to a previous attack by the APT group 'DoNot' (APT-C-35), which also employed fake chat apps as spyware.

The SafeChat app is distributed to victims via WhatsApp, where they are deceived into believing it is a genuine chat application. The attack unfolds in several stages:

1. The victim is lured into installing "SafeChat," which masquerades as a legitimate chat app with a deceiving user interface.

2. Upon installation, the app requests exclusion from Android's battery optimization, allowing the spyware to run in the background indefinitely, even when not actively used.

3. Once accepted, the app lets you sign up.

4. It then seeks permissions to access Accessibility Services, which allows the app to track activity on screen, including user keystrokes.

5. The app proceeds to interact with other chat applications already installed on the device, stealing valuable data such as chat messages and media files. It’ll also access call logs on the device, GPS information, SMS messages, and more.

6. The stolen data is encrypted and transmitted to the attacker's command-and-control server, cloaking the operation in anonymity and evading detection.

The sophisticated nature of the attack, combined with previous incidents involving APT Bahamut, strongly indicates the group's operation within Indian territory acting on behalf of a specific state government.

CYFIRMA's analysts have expressed concern over the app's high-level permissions compared to similar instances of malware. This, coupled with the clear targeting of WhatsApp users in the South Asia region, has raised alarms within the cybersecurity community.

WhatsApp users are advised to take precautionary measures to safeguard their data:

1. Download apps only from official sources such as Google Play Store to minimize the risk of encountering fake and malicious applications.

2. Be cautious of apps requesting unnecessary permissions and ensure they are relevant to the app's functionality.

3. Keep devices updated with the latest software and security patches to strengthen protection against vulnerabilities.

4. Consider installing reputable antivirus or security apps to scan for malware and potential threats.

While the exact extent of the data breach remains undisclosed, the scale and nature of the attack demand heightened vigilance from users in the region. Authorities and cybersecurity experts are closely monitoring the situation to prevent further data compromises.

About the Author

Zane is a Cybersecurity Researcher and Writer at vpnMentor. His extensive experience in the tech and cybersecurity industries provides readers with accurate and trustworthy news stories and articles. He aims to help individuals protect themselves through informative content and awareness of cybersecurity's crucial role in today's digital landscape.