During Cyble’s routine threat hunting exercise, we came across a Twitter post mentioning a phishing campaign involving a Threat Actor (TA) hosting malicious Android APK files on a counterfeit version of Jamaat websites.
The phishing websites used by the TA are as follows:
The figure below shows the phishing page.
As per Cyble’s research, this campaign is identical to the Bahamut group. Therefore, it is likely that the Bahamut group is operating under this alias. Bahamut is a threat group targeting the Middle East and South Asia and its attack vectors are phishing campaigns and malware. First noticed in 2017, Bahamut has targeted many individuals and entities.
Our research team has downloaded the samples and conducted a thorough analysis. Based on this, the Cyble Research Lab concluded that the malware is a variant of spyware and uploads the data to a Command & Control (C&C) server. We also observed that the malicious app disguises itself as the Jamaat chat app and the Muslim Youth app.
APK Metadata Information
- App Name: JamaatChat
- Package Name: com.example.jamaat
- SHA256 Hash: 9d4e5d46ab3e2bb4b38256960b88ddc7e266d1959fa75d676a0cac5e811ad325
Our initial analysis observed that the TA had hosted the file with different names for the same sample.
The Bahamut malware requests the user for 21 different permissions, of which 14 are dangerous. The dangerous permissions are listed below.
|android.permission.READ_CONTACTS||Access to phone contacts|
|android.permission.READ_EXTERNAL_STORAGE||Access device external storage|
|android.permission.WRITE_EXTERNAL_STORAGE||Modify device external storage|
|android.permission.READ_PHONE_STATE||Access phone state and information|
|android.permission.RECORD_AUDIO||Allows to record audio using device microphone|
|android.permission.ACCESS_COARSE_LOCATION||Fetch device location using a mobile network|
|android.permission.ACCESS_FINE_LOCATION||Fetch device location using GPS sensor|
|android.permission.ACCESS_BACKGROUND_LOCATION||Access location information in background|
|android.permission.CALL_PHONE||Perform call without user intervention|
|android.permission.CAMERA||Access device camera hardware|
|android.permission.READ_CALL_LOG||Access user’s call logs|
|android.permission.READ_SMS||Access user’s SMSs stored in the device|
|android.permission.RECEIVE_SMS||Fetch and process SMS messages|
|android.permission.WRITE_SETTINGS||Modify device’s system settings|
When the user enables these permissions, the malicious app will collect information such as Contacts, SMSs, Call Logs, Audio, etc.
The below figure shows that the app requests permission at the start.
The Bahamut malware requests the user for Contacts and SMS permissions upon starting the application, among others. Once the victim enables these permissions, the malware initiates background services to collect information. The below figure depicts the code to start background services for collecting data.
The Bahamut malware creates a copy of the device’s contacts, SMS, call logs to the local database, named as tabs_database, in the initial stage. The below figure shows table details of the database.
- Contacts: The spyware extracts all the contacts stored on the device and stores them on a database table user_contacts. The below figure shows the code to collect contacts and store the data in a database table.
- SMSs: As the below figure shows, the malware collects SMSs and stores it in a database table named user_sms.
- Call Logs: As the below figure shows, the Bahamut malware extracts call log data and stores the data on a database table call_logs.
- Files List: A list of files from device storage is classified as documents, audio, video, images and stored in a database table named as user_files
- Location: Collects device location information
- Device Hardware details: Collectsinformation such as IMEI number, IP address, device ID, and phone model.
The below figure depicts the code to collect device information and location.
The malware creates listeners for users and device events, such as:
- DEVICE BOOT UP
- SMS RECEIVED
- CALL RECEIVED
- WIFI STATE CHANGE
- User event/New contact added
The below figure shows the code related to the listener created for CALL RECEIVED event.
The Bahamut malware will upload the collected data whenever the afore-mentioned events are triggered on the victim device. The TA has also created a scheduler to upload data which will execute every 4 hours (14400000 milliseconds). The below code shows the listener for the BOOT-UP event which creates a scheduler that executes every 4 hours.
As the below code shows, initializeSocket() is the function that uploads all the data to the C&C server.
For all communication with the C&C server, the fake app uses a framework called Socket.IO, a real-time, bidirectional communication library. In addition, Bahamut malware uses HTTPS protocol to communicate with the C&C server.
C&C server URL: hxxps://h94xnghlldx6a862moj3[.]de
The below figure shows the C&C server IP, which is stored in the application code.
The application also contains code to emulate a chat application by using the WebView functionality in Android.
According to our research, Bahamut frequently uses phishing pages as an attack vector to deliver malware. In this scenario, the group is targeting users trying to access Jamaat domains with Android Spyware.
To protect yourself from these infections, the user should prefer to install applications from the official Google Play Store. Also, be aware of the threat groups and their attack vectors and take measures accordingly.
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- If you find this malware in your device, uninstall it immediately.
- Use the shared IoCs to monitor and block the malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your system and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
- Download and install software only from registered app stores.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|1. Obfuscated Files or Information|
2. Application Discovery
|Credential Access||T1412 |
|1. Capture SMS Messages |
2. Access Notifications
|1. System Network Connections Discovery|
2. System Network Configuration Discovery
3. Location Tracking
4. System Information Discovery
5. Process Discovery
|1. Access Contact List|
2. Access Call Log
3. Capture Audio
4. Network Information Discovery
5. Access Notifications
|Command and Control||T1436||Commonly Used Port|
Indicators of Compromise (IoCs):
|9d4e5d46ab3e2bb4b38256960b88ddc7e266d1959fa75d676a0cac5e811ad325||SHA256||Hash of the sample1|
|c5aa8327dfbca613e487d4075162f667e9ed967ad5d63427f79cb55ec79988b8||SHA256||Hash of the sample2|
|4899519c3b0c8ba3c811e88e3f825d84833d05a6d82d64d9bc7e679ecdd36431||SHA256||Hash of the sample3|
|7987841d022c799eeb0dbdc9bb656d88720b874353d42d709aa613705dd03597||SHA256||Hash of the sample5|
|hxxps://h94xnghlldx6a862moj3[.]de||URL||C&C Server URL|
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.