Espionage campaign loads VPN spyware on Android devices via social media

A new espionage campaign, dubbed SandStrike, has been detected using malicious VPN apps to load spyware on Android devices, cybersecurity company Kaspersky reports. It’s an example of how APT (advanced persistent threat) actors are constantly updating old attack tools and creating new ones to launch new malicious campaigns, particularly against mobile devices.

“In their attacks, they use cunning and unexpected methods: SandStrike, attacking users via a VPN service, where victims tried to find protection and security, is an excellent example,” Victor Chebyshev, the lead security researcher at Kaspersky’s (Global Research & Analysis Team (GReAT), said in a blog post.

APT uses social media accounts to attract victims 

In the SandStrike campaign, the APT set up Facebook and Instagram accounts with more than 1,000 followers to lure their victims. The campaign targets a religious minority, Baháʼí, followed in Iran and parts of the Middle East and Asia-Pacific. As of 2019, six countries in those regions banned the Baháʼí religion, according to the Pew Research Center. The campaign, though, serves as a warning, in particular, for social media and mobile users everywhere.

“Today it is easy to distribute malware via social networks and remain undetected for several months or even more. This is why it is so important to be as alert as ever and make sure you are armed with threat intelligence and the right tools to protect from existing and emerging threats,” Chebyshev said. The attack was seen active in the third quarter this year.

 The social media accounts set up by the SandStrike campaign are made attractive with religious-themed graphic material, attracting faithful believers. The accounts contain a link to a Telegram channel created by the APT. 

Use of malicious VPN application infects Android devices

SandStrike uses Telegram to distribute what seems to be a legitimate VPN application. The idea is that the VPN service could allow access to religion-related material that is banned and not publicly available via other means. The attackers set up a VPN infrastructure to make the malicious spyware application fully functional. 

“The VPN client contains fully-functioning spyware with capabilities allowing threat actors to collect and steal sensitive data, including call logs, contact lists, and also track any further activities of persecuted individuals,” Kaspersky said. 

Kaspersky does not attribute the new malicious activity to any particular group or specify the number of those infected. The fact that the campaign targets a banned religious group suggests geopolitics are at play, an increasingly common theme in malware campaigns.

“Geopolitics remains a key driver of APT development and cyber-espionage continues to be a prime aim of APT campaigns,” Kaspersky noted in its latest APT Trends report.

APT attacks are geographically widespread

APT campaigns are also becoming more widespread geographically, Kaspersky noted, particularly in the Middle East. For example, FramedGolf, a previously undocumented IIS (Internet Information Services) backdoor that could only be found in Iran and which was designed to establish a persistent foothold in targeted organizations, was also recently discovered, Kapsersky said in its APT Trends report.

The malware has been used to compromise at least a dozen organizations, starting in April 2021 at the latest, with most still compromised in late June 2022, Kaspersky said.

In the third quarter, Kaspersky also noted an expansion of attacks in Europe, the US, Korea, Brazil, and various parts of Asia.

Mobile malware on the rise

Malicious actors are also increasingly targeting mobile devices. About 5.5 million malware, adware, and riskware attacks targeted at mobile devices were blocked by Kaspersky in the second quarter of the year. Malicious adware was involved in more than 25% of the attacks. But other threats such as mobile banking Trojans, mobile ransomware tools, and malware downloaders were also seen. 

Otherwise, the first quarter of the year witnessed a 500% increase in mobile malware delivery attempts in Europe, according to research by Proofpoint. The increase came after a sharp decline in attacks towards the end of 2021. 

It was also found that attackers are targeting Android devices far more than iOS devices. iOS doesn’t allow users to install an app via an unofficial third-party app store or to download it directly to the device, as Android does, Proofpoint noted.