A new spy campaign, dubbed SandStrike, has been detected using malicious VPN apps to load spyware onto Android devices, cybersecurity firm Kaspersky reports. This is an example of how APT (Advanced Persistent Threat) actors are constantly updating old attack tools and creating new ones to launch new malicious campaigns, especially against mobile devices.
“In their attacks, they use cunning and unexpected methods: SandStrike, attacking users through a VPN service, where victims tried to find protection and security, is a prime example,” Victor Chebyshev, senior security researcher at Kaspersky ( Global Research & Analysis Team (GReAT), said in a blog post.
APT uses social media accounts to lure victims
In the SandStrike campaign, the APT created Facebook and Instagram accounts with over 1,000 followers to lure their victims. The campaign targets a religious minority, Baha’i, followed in Iran and parts of the Middle East and Asia-Pacific. In 2019, six countries in those regions banned the Baha’i religion, according to the Pew Research Center. The campaign, however, serves as a warning, in particular, to social media and mobile users around the world.
“Today it is easy to spread malware via social media and go unnoticed for months or even longer. That is why it is so important to be as vigilant as ever and make sure you are armed with threat intelligence and the right tools to protect yourself from existing and emerging threats,” Chebyshev said.The attack was considered active in the third quarter of this year.
Social media accounts set up by the SandStrike campaign are made attractive with religious themed graphic material, attracting loyal believers. The accounts contain a link to a Telegram channel created by the APT.
Using a malicious VPN app infects Android devices
SandStrike uses Telegram to distribute what appears to be a legitimate VPN app. The idea is that the VPN service could allow access to religion-related material that is banned and not otherwise available to the public. The attackers set up a VPN infrastructure to make the malicious spyware application fully functional.
“The VPN client contains fully functional spyware with capabilities allowing threat actors to collect and steal sensitive data, including call logs, contact lists, and also track other people’s activity. persecuted,” Kaspersky said.
Kaspersky does not attribute the new malicious activity to any particular group or specify the number of people infected. The fact that the campaign targets a banned religious group suggests that geopolitics is at play, an increasingly common theme in malware campaigns.
“Geopolitics remains a key driver of APT’s development and cyber espionage continues to be a primary focus of APT’s campaigns,” Kaspersky noted in its latest APT Trends report.
APT attacks are geographically prevalent
APT campaigns are also becoming more widespread geographically, Kaspersky noted, particularly in the Middle East. For example, FrameGolf, a previously undocumented Internet Information Services (IIS) backdoor that could only be found in Iran and was designed to establish a persistent presence in targeted organizations, was also recently discovered, Kapsersky said in its APT Trends report.
The malware has been used to compromise at least a dozen organizations, beginning in April 2021 at the latest, with most still compromised by the end of June 2022, Kaspersky said.
In the third quarter, Kaspersky also noted an expansion of attacks in Europe, the United States, Korea, Brazil and various parts of Asia.
Mobile malware on the rise
Malicious actors are also increasingly targeting mobile devices. Around 5.5 million malware, adware and riskware attacks targeting mobile devices were blocked by Kaspersky in the second quarter of the year. Malicious adware was involved in more than 25% of attacks. But other threats such as mobile banking trojans, mobile ransomware tools and malware downloaders have also been observed..
Otherwise, the first quarter of the year saw a 500% increase in attempts to spread mobile malware in Europe, according to research by Proofpoint. This increase came after a sharp drop in attacks towards the end of 2021.
It has also been found that attackers target Android devices far more than iOS devices. iOS does not allow users to install an app through an unofficial third-party app store or download it directly to the device like Android does, Proofpoint noted.
Copyright © 2022 IDG Communications, Inc.