- The SafeChat app is also capable of stealing other sensitive data like call logs, texts, and GPS locations.
- This new Android spyware is suspected to be a “CoverIm” variant.
- This variant is known to steal data from various chat apps like WhatsApp, Telegram, Signal, and Viber.
WhatsApp is home to billions of users who use the app to stay in touch with their loved ones. This huge user base also makes it the prime target of hackers and scammers who keep coming up with ways to trick people. The latest attempt from this malicious intent people is in the form of an Android chat app. It is found to be capable of stealing WhatsApp user data and other sensitive information. Here is everything you need to know and how you can stay safe.
SafeChat Fake Android Chat App Stealing WhatsApp Data
As per reports, hackers are using a fake Android chat app called SafeChat to infect unsuspecting users’ devices with spyware. This is an app that claims to provide superior security while interacting with others. The spyware is suspected to be a “CoverIm” variant. It is capable of stealing user data from various popular apps like WhatsApp, Telegram, Signal, and Viber.
To make matters worse, spyware has further capabilities to steal sensitive data like call logs, texts, and GPS locations. The spyware was discovered by a team of researchers at the security firm CYFIRMA. The experts believe an Indian APT hacking group Bahumat is behind the whole campaign meant to spread the spyware. It is said to be targeting users from India and South Asia regions.
SafeChat is said to have an interface good enough to trick people into believing it is a legitimate chat application. It provides a complete user registration process, similar to any other genuine chat app. The spyware is able to get access to Accessibility Services on the infected Android device. It then abuses the access to get way more permissions and eventually access the user’s call logs, SMS, contact list, precise GPS location data, and external storage device.
The app even requests users to exclude it from Android’s battery optimization subsystem. This allows it to keep running even in the background. The spyware is said to use a module compatible with RSA, ECB, and OAEPPadding to encrypt the stolen data. In order to bypass network data interception attempts, it utilizes a “letsencrypt” certificate.
CYFIRMA says the Bahumat group works in a way similar to DoNot APT (APT-C-35), another Indian state-sponsored threat group. This group is also known to use fake chat apps to spread spyware, many of which were also found to be on the Google Play Store.
This is not the last time that we will hear about a fake chat app or any kind of fake application infecting user devices. It is advised that you install applications from trusted sources. More importantly, stay away from any app or URL that you do not recognize or have even a bit of doubt about. Even when you do install an app, keep an eye on the permissions it asks for. Do not grant any app permission that it does not need to have. Also, ensure that your device is running the latest available software version.