Attackers built a fake online community and used a malicious VPN app to steal credentials and other user data. A new espionage campaign, dubbed SandStrike, has been detected using malicious VPN apps to load spyware on Android devices, cybersecurity company Kaspersky reports. It’s an example of how APT (advanced persistent threat) actors are constantly updating old attack tools and creating new ones to launch new malicious campaigns, particularly against mobile devices.“In their attacks, they use cunning and unexpected methods: SandStrike, attacking users via a VPN service, where victims tried to find protection and security, is an excellent example,” Victor Chebyshev, the lead security researcher at Kaspersky’s (Global Research & Analysis Team (GReAT), said in a blog post.APT uses social media accounts to attract victims In the SandStrike campaign, the APT set up Facebook and Instagram accounts with more than 1,000 followers to lure their victims. The campaign targets a religious minority, Baháʼí, followed in Iran and parts of the Middle East and Asia-Pacific. As of 2019, six countries in those regions banned the Baháʼí religion, according to the Pew Research Center. The campaign, though, serves as a warning, in particular, for social media and mobile users everywhere. “Today it is easy to distribute malware via social networks and remain undetected for several months or even more. This is why it is so important to be as alert as ever and make sure you are armed with threat intelligence and the right tools to protect from existing and emerging threats,” Chebyshev said. The attack was seen active in the third quarter this year. The social media accounts set up by the SandStrike campaign are made attractive with religious-themed graphic material, attracting faithful believers. The accounts contain a link to a Telegram channel created by the APT. Use of malicious VPN application infects Android devicesSandStrike uses Telegram to distribute what seems to be a legitimate VPN application. The idea is that the VPN service could allow access to religion-related material that is banned and not publicly available via other means. The attackers set up a VPN infrastructure to make the malicious spyware application fully functional. “The VPN client contains fully-functioning spyware with capabilities allowing threat actors to collect and steal sensitive data, including call logs, contact lists, and also track any further activities of persecuted individuals,” Kaspersky said. Kaspersky does not attribute the new malicious activity to any particular group or specify the number of those infected. The fact that the campaign targets a banned religious group suggests geopolitics are at play, an increasingly common theme in malware campaigns.“Geopolitics remains a key driver of APT development and cyber-espionage continues to be a prime aim of APT campaigns,” Kaspersky noted in its latest APT Trends report.APT attacks are geographically widespreadAPT campaigns are also becoming more widespread geographically, Kaspersky noted, particularly in the Middle East. For example, FramedGolf, a previously undocumented IIS (Internet Information Services) backdoor that could only be found in Iran and which was designed to establish a persistent foothold in targeted organizations, was also recently discovered, Kapsersky said in its APT Trends report.The malware has been used to compromise at least a dozen organizations, starting in April 2021 at the latest, with most still compromised in late June 2022, Kaspersky said.In the third quarter, Kaspersky also noted an expansion of attacks in Europe, the US, Korea, Brazil, and various parts of Asia. Mobile malware on the riseMalicious actors are also increasingly targeting mobile devices. About 5.5 million malware, adware, and riskware attacks targeted at mobile devices were blocked by Kaspersky in the second quarter of the year. Malicious adware was involved in more than 25% of the attacks. But other threats such as mobile banking Trojans, mobile ransomware tools, and malware downloaders were also seen. Otherwise, the first quarter of the year witnessed a 500% increase in mobile malware delivery attempts in Europe, according to research by Proofpoint. The increase came after a sharp decline in attacks towards the end of 2021. It was also found that attackers are targeting Android devices far more than iOS devices. iOS doesn’t allow users to install an app via an unofficial third-party app store or to download it directly to the device, as Android does, Proofpoint noted. Related content news Google launches Google Threat Intelligence at RSA Conference The new addition to Google Cloud Security is designed to give security teams information to inform approaches to protecting against external threats, managing attack surfaces, and mitigating digital risks. By Sascha Brodsky May 06, 2024 4 mins Google Cloud Functions Cloud Security Security Software brandpost Sponsored by Elastic Search + RAG: The 1-2 punch transforming the modern SOC with AI-driven security analytics AI is modernizing how SOCs function, triaging countless alerts down to a handful of attacks that matter most. By Mike Nichols, Product for Security at Elastic May 06, 2024 3 mins Artificial Intelligence how-to Download the Zero Trust network access (ZTNA) enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand what ZTNA can do for their organizations and how to choose the right solution. By Josh Fruhlinger and steve_zurier May 06, 2024 1 min Zero Trust Access Control Network Security news Germany blames Russian hackers for months-long cyber espionage The attacks by Russia-backed Fancy Bear used an Outlook exploit to compromise several German officials’ accounts. By Shweta Sharma May 06, 2024 4 mins Advanced Persistent Threats Hacker Groups PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe