The world of cybersecurity is constantly evolving, with cybercriminals developing new tactics and techniques to infiltrate devices and networks. One such recent development is the increasing use of fake Android VPN applications, posing a significant threat to online safety.
These malicious applications, disguised as legitimate software, often trick users into granting them access to sensitive information. Their nefarious purpose was recently highlighted when cybersecurity firm Cyfirma discovered three Android apps that were being used for intelligence gathering by state-sponsored threat actors. These apps, linked to the Indian hacking group “DoNot,” also known as APT-C-35, were employed to harvest data such as location data and contact lists from targeted devices.
The fake VPN application, iKHfaa VPN, was among the two applications uploaded on Google Play by ‘SecurITY Industry’. While the download count for these applications was relatively low, indicating selective use against specific targets, the permission requests raised serious concerns. They sought access to users’ contact lists and precise location data, which were then exfiltrated to the hackers.
In an unsettling revelation, Cyfirma’s analysts found that the code base for the malicious VPN app was directly taken from the legitimate Liberty VPN product. This shows a high level of sophistication and deceit in the threat actors’ methods, making them harder to detect and increasing the damage potential.