Threat Actor Bahamut Uses Fake Android Chat App To Steal Signal, WhatsApp Data

According to a new report by security firm CYFIRMA, a known Indian threat group tracked as Bahamut is distributing a fake Android app called "Safe Chat" to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones.

Further, the malware is capable of stealing data from other messaging apps, including WhatsApp, Telegram, Facebook Messenger, Signal and Viber.

Threat Actor Bahamut Uses Fake Android Chat App To Steal Signal, WhatsApp Data

Researchers noted,

This particular malware exhibits a similar operational mechanism to the previously identified malware (distributed through the Google Play Store by the notorious APT group known as ‘DoNot’), however, this malware has more permissions, and thus presents a higher level of threat. The suspected Android malware, known initially as “CoverIm” was delivered to victims via WhatsApp.


The user interface of this app successfully deceives users into believing its authenticity, allowing the threat actor to extract all the necessary information before the victim realizes that the app is a dummy, the malware cleverly exploits unsuspecting Android Libraries to extract and transmit data to a command-and-control server. Our in-depth technical analysis will provide a comprehensive overview of this Android malware and shed light on the sophisticated methods employed by the threat actor to exploit Android Libraries for data retrieval from victims’ mobile devices.

To better deceive the victim that the fake app is somewhat legitimate, the landing page is designed to make it look like the app is attempting to make a secure connection, as seen with some VPNs.

Once the supposed secure connection is established, a notification asks the victim to allow specific permissions. This is done primarily to enable the app to work in the background. By remaining "on" even if the app is believed to be closed, the threat actor can communicate with the app, increasing the malware’s command and control capabilities.

The app will then move to create an account for the victim and then present them with a sign-in page. Another popup will ask for further permissions to be granted. This set of permissions is directed at allowing accessibility options to be enabled.

Once enabled, the malware will capture activity on the screen, including keystrokes. If the victim does not enable these permissions, they will be reminded fairly often that permissions need to be granted to allow the app to function properly.

The link to download the app was seen distributed via WhatsApp and targeted users in South Asia. However, very little information was provided on the social engineering tactics used to lure users to download the malicious app.

The report contains more information regarding the actual code. It is beyond the scope of this article, but it does make for interesting reading as to how the malware is capable of stealing data from the above-mentioned messaging apps.

To simplify, a module was coded to monitor activity on the other apps, harvest data from them, and export the data in JSON format to command-and-control servers.

Attributing the Campaign to Bahamut

Researchers noted that they have, with a fair degree of confidence, attributed this malware campaign to Bahamut, but did note similar similarities in terms of tactics to the advanced persistent threat group DoNot believed to be linked to the Indian Government.

Researchers noted the following,

In this specific attack, the threat actor conducted targeted spear messaging attacks on WhatsApp Messenger, focusing on individuals in the South Asia region. The malicious payload was delivered directly through WhatsApp chat. The attack on the individual served the interest of one nation-state government. The nature of this attack, along with previous incidents involving APT Bahamut, possibly indicates that it was carried out to serve the interests of one nation-state government. Notably, APT Bahamut has previously targeted Khalistan supporters, advocating for a separate nation, posing an external threat to India. The threat actor has also aimed at military establishments in Pakistan and individuals in Kashmir, all aligning with the interests of one nation-state government.

The security firm did not disclose the specific target location of the attack due to its sensitivity and security concerns. They did mention, however, that the target serves the interests of one nation-state government, alluding to the Indian Governemnt and DoNot activity.

Researchers provided several reasons for the attribution of the campaign.

Firstly, aid nation-state government will employ mercenary groups to hack sensitive targets; this certainly does not exclude Bahamut.

Secondly, the threat actor utilized encryption techniques to secure the data and network traffic, using the same certificate authority as the DoNot APT group, which was previously seen being deployed with Android Malware on the Google Play Store.

Lastly, the APT actor employed the Ktor Library to efficiently fetch and transfer data to the command-and-control server. This tactic resembles how the DoNot APT group used a similar data retrieval function.

This led the researchers to conclude that the Bahamut has ties to the Indian territory and is acting in the interest of one nation-state government. Security firms will rarely be as confident when it comes to attributing attacks.

There is sufficient evidence to support their claims. However, such links can be interesting but not life-changing for the average person. It is advised that Android users do not download apps from linked messages and use official app stores where possible.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal